System and method for supporting secured communication by an aliased cluster

US 8,364,948 B2
Filed: 12/15/2004
Issued: 01/29/2013
Est. Priority Date: 07/02/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

implementing cluster aliasing for a cluster of a plurality of computer-based members; and

supporting, by the aliased cluster, secured communication with a non-member node, wherein the cluster aliasing provides an appearance to said non-member node of a common network address for the plurality of members, and wherein said supporting the secured communication comprises;

assigning a first of the plurality of members to process secure inbound data directed to the common network address from the non-member node; and

assigning a second, different of the plurality of members to send secure outbound data from the common network address to the non-member node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cluster aliasing is implemented for a cluster of a plurality of computer-based members. The aliased cluster supports secured communication with a non-member node. The cluster aliasing provides an appearance to the non-member node of a common network address for the plurality of members. In supporting the secured communication, a first of the plurality of members is assigned to process secure inbound data directed to the common network address from the non-member node, and a second, different of the plurality of members is assigned to send secure outbound data from the common network address to the non-member node.

35 Citations

View as Search Results

56 Claims

1. A method comprising:
- implementing cluster aliasing for a cluster of a plurality of computer-based members; and
  
  supporting, by the aliased cluster, secured communication with a non-member node, wherein the cluster aliasing provides an appearance to said non-member node of a common network address for the plurality of members, and wherein said supporting the secured communication comprises;
  
  assigning a first of the plurality of members to process secure inbound data directed to the common network address from the non-member node; and
  
  assigning a second, different of the plurality of members to send secure outbound data from the common network address to the non-member node.
- View Dependent Claims (2, 3, 4, 49, 50, 51)
- - 2. The method of claim 1 wherein said supporting the secured communication comprises:
    - supporting communication secured by communication protocol level security.
  - 3. The method of claim 1 wherein said supporting the secured communication comprises:
    - supporting Internet Protocol security (IPsec) secured communication.
  - 4. The method of claim 1 further comprising:
    - interfacing each of said plurality of members to a communication network over which said secured communication with said non-member node is conducted.
  - 49. The method of claim 1, further comprising:
    - a third of the plurality of members receiving the secure inbound data that is part of the secured communication from the non-member node;
      
      accessing, by the third member, cluster-wide information to identify which of the plurality of members is responsible for inbound processing of the secure inbound data; and
      
      in response to the identifying, forwarding the secure inbound data from the third member to the first member to process the inbound data.
  - 50. The method of claim 1, further comprising:
    - the first member decrypting the inbound data that is part of the secured communication using an inbound security association; and
      
      the second member encrypting the outbound data that is part of the secured communication using an outbound security association.
  - 51. The method of claim 1, further comprising migrating a role of processing secure inbound data from the first member to a third member of the aliased cluster in response to determining that the third member receives more secure inbound data than the first member.

5. A method comprising:
- implementing cluster aliasing for a cluster of a plurality of computer-based members; and
  
  using distributed processing among the plurality of members for supporting secured communication with a non-member node, wherein the cluster aliasing provides an appearance to said non-member node of a common network address for the plurality of members, and wherein using distributed processing among the plurality of members for supporting the secured communication comprises;
  
  assigning a first of the plurality of members to process secure inbound data directed to the common network address from the non-member node;
  
  assigning a second, different of the plurality of members to send secure outbound data from the common network address to the non-member node; and
  
  assigning a third, different of the members to negotiate a security association for the secured communication using the common network address.
- View Dependent Claims (6, 52)
- - 6. The method of claim 5 further comprising:
    - making information associated with the secured communication visible cluster-wide.
  - 52. The method of claim 5, further comprising migrating a role of sending secure outbound data from the second member to another member of the aliased cluster in response to determining that the another member has more secure outbound data to send than the second member.

7. A method comprising:
- implementing cluster aliasing for a cluster of a plurality of computer-based members, wherein the cluster appearance to a non-member node of a common network address for the plurality of members;
  
  performing, by the aliased cluster, negotiation of security for a secured communication using the common network address with said non-member node, wherein the negotiation is performed by a first of the plurality of members; and
  
  processing secure inbound data addressed to the common network address by a second, different one of the plurality of members.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 53)
- - 8. The method of claim 7 wherein said performing negotiation comprises:
    - receiving at a third member of said cluster a first negotiation packet from said non-member node.
  - 9. The method of claim 8 wherein said first negotiation packet comprises a first Internet Key Exchange (IKE) message.
  - 10. The method of claim 8 comprising:
    - sending, from said non-member node, said first negotiation packet to the common network address of said aliased cluster.
  - 11. The method of claim 8 further comprising:
    - said third member accessing a directory that is visible cluster-wide; and
      
      said third member determining from said directory whether another member has claimed responsibility for performing this negotiation of security with said non-member node.
  - 12. The method of claim 11 further comprising:
    - if determined that the first member has claimed responsibility for performing this negotiation of security with said non-member node, said third member forwarding the received first negotiation packet to said member; and
      
      if determined that no other member has claimed responsibility for performing this negotiation of security with said non-member node, said third member claiming said responsibility and creating an entry in said directory identifying that said third member claims said responsibility.
  - 13. The method of claim 12 further comprising:
    - the first member having claimed said responsibility processing the received first negotiation packet and sends a response to said non-member node.
  - 14. The method of claim 12 further comprising:
    - until security negotiation with said non-member node is complete, received negotiation packets for this security negotiation are forwarded within the aliased cluster to the first member having claimed said responsibility.
  - 15. The method of claim 14 further comprising:
    - when said security negotiation with said non-member node is complete, the first member having claimed said responsibility creating at least one security association (SA) for use in supporting the secured communication with said non-member node.
  - 16. The method of claim 15 wherein said creating at least one SA further comprises:
    - said first member having claimed said responsibility creating a security negotiation association.
  - 17. The method of claim 16 wherein said security negotiation association is used for dynamically varying security keys for the secured communication.
  - 18. The method of claim 17 wherein said security keys comprise encryption and decryption keys.
  - 19. The method of claim 16 wherein said security negotiation association comprises an Internet Key Exchange (IKE) Security Association (SA).
  - 53. The method of claim 7, further comprising:
    - sending, by a third, different one of the plurality of members, secure outbound data from the common network address.

20. A method comprising:
- implementing cluster aliasing to generate an aliased network address for a cluster of a plurality of computer-based members; and
  
  supporting, by the aliased cluster, secured communication with a non-member node, wherein said supporting includes(a) creating an inbound Security Association (SA) for use in processing, by a first one of the plurality of members, secured data addressed to the aliased network address received from said non-member node and(b) creating an outbound SA for use in securing data to be sent, by a second, different one of the plurality of members, from the aliased network address to said non-member node.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method of claim 20 wherein said secured communication comprises Internet Protocol security (IPsec) secured communication.
  - 22. The method of claim 20 further comprising:
    - assigning said inbound SA to the first member of said cluster, andassigning said outbound SA to the second member of said cluster.
  - 23. The method of claim 22 further comprising:
    - publishing to the cluster the identity of said first member to whom said inbound SA is assigned; and
      
      publishing to the cluster the identity of said second member to whom said outbound SA is assigned.
  - 24. The method of claim 23 wherein said publishing comprises creating an entry in at least one, directory that is visible cluster-wide.

25. Computer-executable software code stored to a computer-readable storage device, said computer-executable software code comprising:
- code for supporting secured communication between an aliased cluster having a plurality of members and a non-member node, wherein the aliased cluster is associated with an aliased network address, wherein said code for supporting includes(a) code for assigning to a first member of the aliased cluster a role of Inbound-Processor for the secured communication involving the aliased network address,(b) code for assigning to a second, different member of the aliased cluster a role of Outbound-Processor for the secured communication involving the aliased network address,(c) code for publishing to the cluster the identity of said Inbound-Processor member for the secured communication, and(d) code for publishing to the cluster the identity of said Outbound-Processor member for the secured communication.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The computer-executable software code of claim 25 further comprising:
    - code executable upon a given member other than the Inbound-Processor member receiving a packet of the secured communication from said non-member node for forwarding the received packet within the cluster to the Inbound-Processor member.
  - 27. The computer-executable software code of claim 26 further comprising:
    - code executable for monitoring the amount of packets forwarded to said Inbound-Processor member from another member; and
      
      code executable for determining, based at least in part on said monitored amount of forwarded packets, whether to transfer the role of Inbound-Processor to another member.
  - 28. The computer-executable software code of claim 25 further comprising:
    - code executable upon a given member other than the Outbound-Processor member having a response to be sent in the secured communication to said non-member node for forwarding the response within the cluster to the Outbound-Processor member.
  - 29. The computer-executable software code of claim 28 further comprising:
    - code executable for monitoring an amount of responses forwarded to said Outbound-Processor member from another member, andcode executable for determining, based at least in part on said monitored amount of forwarded responses, whether to transfer the role of Outbound-Processor to another member.

30. A system comprising:
- an aliased cluster having a plurality of processor-based devices as members, wherein said aliased cluster supports communication protocol level secured communication with a non-member node, and wherein the aliased cluster is associated with a common network address,wherein a first of the plurality of members is assigned to process secure inbound data sent to the common network address from the non-member node, andwherein a second, different of the plurality of members is assigned to send secure outbound data from the common network address to the non-member node.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 54, 55)
- - 31. The system of claim 30 wherein said communication protocol level secured communication is Internet Protocol security (IPsec) secured communication.
  - 32. The system of claim 30 wherein said aliased cluster is communicatively coupled to a communication network.
  - 33. The system of claim 32 wherein said plurality of members each have an interface to said communication network.
  - 34. The system of claim 30 wherein said aliased cluster is operable to dynamically transfer roles of processing secure inbound data and sending secure outbound data to other members within the aliased cluster during a given secured communication session.
  - 35. The system of claim 34 wherein said aliased cluster dynamically transfers the role of processing secure inbound data to a member within the aliased cluster that provides optimal efficiency for inbound processing for said given secured communication session, and wherein said aliased cluster dynamically transfers the role of sending secure outbound data to a member within the aliased cluster that provides optimal efficiency for outbound processing for said given secured communication session.
  - 36. The system of claim 35 wherein said optimal efficiency minimizes an amount of forwarding of packets of the given secured communication session within the aliased cluster.
  - 37. The system of claim 30 further comprising:
    - an inbound directory that is accessible to all members of the aliased cluster and that identifies for a given secured communication session a member assigned to process secure inbound data.
  - 38. The system of claim 30 further comprising:
    - an outbound directory that is accessible to all members of the aliased cluster and that identifies for a given secured communication session a member assigned to send secure outbound data.
  - 39. The system of claim 30 further comprising:
    - an Internet Key Exchange (IKE) directory that is accessible to all members of the aliased cluster and that identifies for a given secured communication session a member assigned as IKE-Negotiator.
  - 54. The system of claim 30, wherein the secure inbound data and secure outbound data are part of the secured communication with the non-member node.
  - 55. The system of claim 30, wherein the first member processes the inbound data using an inbound security association, and the second member protects the outbound data using an outbound security association.

40. A method of supporting Internet Protocol security (IPsec) secured communication by an aliased cluster, the method comprising:
- assigning, for a given IPsec secured communication session with a node that is not a member of said cluster, a role of Inbound-Processor to a first member of the aliased cluster for processing secure inbound data addressed to an aliased network address of the aliased cluster;
  
  assigning, for the given IPsec secured communication session, a role of Outbound-Processor to a second different member of the aliased cluster to send secure outbound data from the aliased network address;
  
  publishing the identity of the first member assigned the role of Inbound-Processor in a directory that is accessible by all members of the aliased cluster; and
  
  publishing the identity of the second member assigned the role of Outbound-Processor in a directory that is accessible by all members of the aliased cluster.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 56)
- - 41. The method of claim 40 further comprising:
    - upon a given member other than the first member assigned the role of Inbound-Processor receiving an inbound IPsec secured packet from the non-member node, the given member forwarding the received inbound IPsec secured packet within the aliased cluster to the first member assigned the role of Inbound-Processor.
  - 42. The method of claim 41 further comprising:
    - the given member determining the first member assigned the role of Inbound-Processor from the published identity of the first member assigned the role of Inbound-Processor.
  - 43. The method of claim 41 further comprising:
    - monitoring an amount of forwarding of inbound IPsec protected packets within the cluster from other members to the first member assigned the role of Inbound-Processor; and
      
      determining whether efficiency of the cluster in supporting the IPsec secured communication would be improved by transferring the role of Inbound-Processor to another member in the aliased cluster.
  - 44. The method of claim 43 further comprising:
    - if determined that said efficiency would be improved, transferring the role of Inbound-Processor to another member of the aliased cluster.
  - 45. The method of claim 40 further comprising:
    - upon a given member other than the second member assigned the role of Outbound-Processor receiving an outbound response to the non-member node, the given member forwarding the outbound response within the aliased cluster to the second member assigned the role of Outbound-Processor.
  - 46. The method of claim 45 further comprising:
    - the given member determining the second member assigned the role of Outbound-Processor from the published identity of the second member assigned the role of Outbound-Processor.
  - 47. The method of claim 45 further comprising:
    - monitoring the amount of forwarding of outbound responses within the cluster from other members to the second member assigned the role of Outbound-Processor, anddetermining whether efficiency of the cluster in supporting the IPsec secured communication would be improved by transferring the role of Outbound-Processor to another member.
  - 48. The method of claim 47 further comprising:
    - if determined that said efficiency would be improved, transferring the role of Outbound-Processor to another member of the aliased cluster.
  - 56. The method of claim 40, wherein the first member processes the secure inbound data according to an inbound security association, and wherein the second member sends the secure outbound data protected according to the outbound security association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Grebus, Gary L., Vuong, Dan C., Moore, Paul
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
RAHIM, MONJUR

Application Number

US11/013,197
Publication Number

US 20060002388A1
Time in Patent Office

2,967 Days
Field of Search

709/245, 709/238, 370/401, 370/389, 370/395, 713/165, 713/201, 713/168, 713/153, 726/11
US Class Current

713/153
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/164 at the network layer

System and method for supporting secured communication by an aliased cluster

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for supporting secured communication by an aliased cluster

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links