Establishing tunnels between selective endpoint devices along communication paths

US 8,458,344 B2
Filed: 05/05/2011
Issued: 06/04/2013
Est. Priority Date: 05/05/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

by a first computing device,receiving a first communication packet from a second computing device destined to a third computing device;

if the first communication packet is a connection-initiating packet having no customization indicator, then;

generating a second connection-initiating packet having a customization indicator and addressed to the third computing device;

setting a value of the customization indicator of the second connection-initiating packet to 0; and

sending the second connection-initiating packet to the third computing device;

if the first communication packet is a connection-initiating packet having a customization indicator with a value of 0, then;

generating a third connection-initiating packet having a customization indicator and addressed to the third computing device;

setting a value of the customization indicator of the third connection-initiating packet to 1; and

sending the third connection-initiating packet to the third computing device;

if the first communication packet is a connection-initiating packet having a customization indicator with a value of 1, then;

generating a first connection-acknowledgement packet having a customization indicator and addressed to the second computing device;

setting a value of the customization indicator of the first connection-acknowledgement packet to 1; and

sending the first connection-acknowledgement packet to the second computing device;

if the first communication packet is a connection-acknowledgement packet having no customization indicator, then;

installing an intercept rule;

generating a second connection-acknowledgement packet having a customization indicator and addressed to the second computing device;

setting a value of the customization indicator of the second connection-acknowledgement packet to 1; and

sending the second connection-acknowledgement packet to the second computing device; and

if the first communication packet is a connection-acknowledgement packet having a customization indicator with a value of 1, then;

installing a bypass rule.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, an intermediary device situated along a communication path between two endpoint devices may receive communication packets sent along the communication path. If the intermediary device receives a connection-initiating packet having a customization indicator and a connection-acknowledgement packet having a customization indicator, then the intermediary device may install a bypass rule.

11 Citations

View as Search Results

24 Claims

1. A method comprising:
- by a first computing device,receiving a first communication packet from a second computing device destined to a third computing device;
  
  if the first communication packet is a connection-initiating packet having no customization indicator, then;
  
  generating a second connection-initiating packet having a customization indicator and addressed to the third computing device;
  
  setting a value of the customization indicator of the second connection-initiating packet to 0; and
  
  sending the second connection-initiating packet to the third computing device;
  
  if the first communication packet is a connection-initiating packet having a customization indicator with a value of 0, then;
  
  generating a third connection-initiating packet having a customization indicator and addressed to the third computing device;
  
  setting a value of the customization indicator of the third connection-initiating packet to 1; and
  
  sending the third connection-initiating packet to the third computing device;
  
  if the first communication packet is a connection-initiating packet having a customization indicator with a value of 1, then;
  
  generating a first connection-acknowledgement packet having a customization indicator and addressed to the second computing device;
  
  setting a value of the customization indicator of the first connection-acknowledgement packet to 1; and
  
  sending the first connection-acknowledgement packet to the second computing device;
  
  if the first communication packet is a connection-acknowledgement packet having no customization indicator, then;
  
  installing an intercept rule;
  
  generating a second connection-acknowledgement packet having a customization indicator and addressed to the second computing device;
  
  setting a value of the customization indicator of the second connection-acknowledgement packet to 1; and
  
  sending the second connection-acknowledgement packet to the second computing device; and
  
  if the first communication packet is a connection-acknowledgement packet having a customization indicator with a value of 1, then;
  
  installing a bypass rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the first computing device is situated along a communication path in between the second computing device and the third computing device.
  - 3. The method of claim 1, further comprising if the first communication packet is a connection-initiating packet having no customization indicator, then:
    - completing a first connection between the first computing device and the second computing device; and
      
      initiating a second connection between the first computing device and the third computing device.
  - 4. The method of claim 1, further comprising if the first communication packet is a connection-initiating packet having a customization indicator with a value of 0, then:
    - suspending a first connection between the first computing device and the second computing device;
      
      initiating a second connection between the first computing device and the third computing device; and
      
      holding the first communication packet.
  - 5. The method of claim 1, further comprising if the first communication packet is a connection-acknowledgement packet having a customization indicator with a value of 1, thenclosing a connection between the first computing device and the third computing device;
    - andforwarding a previously received connection-initiating packet having a customization indicator with a value of 0 to the third computing device.
  - 6. The method of claim 1, wherein the bypass rule and the intercept rule each comprise a peer identifier, a destination Internet Protocol (IP) address, and a destination port.
  - 7. The method of claim 1, wherein the bypass rule and the intercept rule each comprise a source IP address, a source port, a destination IP address, and a destination port.
  - 8. The method of claim 1, wherein:
    - if the first communication packet is a connection-initiating packet having no customization indicator, then the first computing device establishes a transparent connection with a concentrator device; and
      
      if the first communication packet is a connection-acknowledgement packet having no customization indicator, then first computing device establishes a transparent connection with a branch device.

9. A first system comprising:
- a memory comprising instructions executable by one or more processors; and
  
  the one or more processors coupled to the memory and operable to execute the instructions, the one or more processors being operable when executing the instructions to;
  
  receive a first communication packet from a second system destined to a third system;
  
  if the first communication packet is a connection-initiating packet having no customization indicator, then;
  
  generate a second connection-initiating packet having a customization indicator and addressed to the third system;
  
  set a value of the customization indicator of the second connection-initiating packet to 0; and
  
  send the second connection-initiating packet to the third system;
  
  if the first communication packet is a connection-initiating packet having a customization indicator with a value of 0, then;
  
  generate a third connection-initiating packet having a customization indicator and addressed to the third system;
  
  set a value of the customization indicator of the third connection-initiating packet to 1; and
  
  send the third connection-initiating packet to the third system;
  
  if the first communication packet is a connection-initiating packet having a customization indicator with a value of 1, then;
  
  generate a first connection-acknowledgement packet having a customization indicator and addressed to the second system;
  
  set a value of the customization indicator of the first connection-acknowledgement packet to 1; and
  
  send the first connection-acknowledgement packet to the second system;
  
  if the first communication packet is a connection-acknowledgement packet having no customization indicator, then;
  
  install an intercept rule;
  
  generate a second connection-acknowledgement packet having a customization indicator and addressed to the second system;
  
  set a value of the customization indicator of the second connection-acknowledgement packet to 1; and
  
  send the second connection-acknowledgement packet to the second system; and
  
  if the first communication packet is a connection-acknowledgement packet having a customization indicator with a value of 1, then;
  
  install a bypass rule.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The first system of claim 9, wherein the first system is situated along a communication path in between the second system and the third system.
  - 11. The first system of claim 9, wherein the one or more processors are further operable when executing the instructions to, if the first communication packet is a connection-initiating packet having no customization indicator, then:
    - complete a first connection between the first system and the second system; and
      
      initiate a second connection between the first system and the third system.
  - 12. The first system of claim 9, wherein the one or more processors are further operable when executing the instructions to, if the first communication packet is a connection-initiating packet having a customization indicator with a value of 0, then:
    - suspend a first connection between the first system and the second system;
      
      initiate a second connection between the first system and the third system; and
      
      hold the first communication packet.
  - 13. The first system of claim 9, wherein the one or more processors are further operable when executing the instructions to, if the first communication packet is a connection-acknowledgement packet having a customization indicator with a value of 1, thenclose a connection between the first system and the third system;
    - andforward a previously received connection-initiating packet having a customization indicator with a value of 0 to the third system.
  - 14. The first system of claim 9, wherein the bypass rule and the intercept rule each comprise a peer identifier, a destination Internet Protocol (IP) address, and a destination port.
  - 15. The first system of claim 9, wherein the bypass rule and the intercept rule each comprise a source IP address, a source port, a destination IP address, and a destination port.
  - 16. The first system of claim 9, wherein:
    - if the first communication packet is a connection-initiating packet having no customization indicator, then the first system establishes a transparent connection with a concentrator system; and
      
      if the first communication packet is a connection-acknowledgement packet having no customization indicator, then first system establishes a transparent connection with a branch system.

17. One or more computer-readable non-transitory storage media embodying software operable when executed by a first computer system to:
- receive a first communication packet from a second computer system destined to a third computer system;
  
  if the first communication packet is a connection-initiating packet having no customization indicator, then;
  
  generate a second connection-initiating packet having a customization indicator and addressed to the third computer system;
  
  set a value of the customization indicator of the second connection-initiating packet to 0; and
  
  send the second connection-initiating packet to the third computer system;
  
  if the first communication packet is a connection-initiating packet having a customization indicator with a value of 0, then;
  
  generate a third connection-initiating packet having a customization indicator and addressed to the third computer system;
  
  set a value of the customization indicator of the third connection-initiating packet to 1; and
  
  send the third connection-initiating packet to the third computer system;
  
  if the first communication packet is a connection-initiating packet having a customization indicator with a value of 1, then;
  
  generate a first connection-acknowledgement packet having a customization indicator and addressed to the second computer system;
  
  set a value of the customization indicator of the first connection-acknowledgement packet to 1; and
  
  send the first connection-acknowledgement packet to the second computer system;
  
  if the first communication packet is a connection-acknowledgement packet having no customization indicator, then;
  
  install an intercept rule;
  
  generate a second connection-acknowledgement packet having a customization indicator and addressed to the second computer system;
  
  set a value of the customization indicator of the second connection-acknowledgement packet to 1; and
  
  send the second connection-acknowledgement packet to the second computer system; and
  
  if the first communication packet is a connection-acknowledgement packet having a customization indicator with a value of 1, then;
  
  install a bypass rule.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The media of claim 17, wherein the first computer system is situated along a communication path in between the second computer system and the third computer system.
  - 19. The media of claim 17, wherein the software is further operable when executed by the first computer system to, if the first communication packet is a connection-initiating packet having no customization indicator, then:
    - complete a first connection between the first computer system and the second computer system; and
      
      initiate a second connection between the first computer system and the third computer system.
  - 20. The media of claim 17, wherein the software is further operable when executed by the first computer system to, if the first communication packet is a connection-initiating packet having a customization indicator with a value of 0, then:
    - suspend a first connection between the first computer system and the second computer system;
      
      initiate a second connection between the first computer system and the third computer system; and
      
      hold the first communication packet.
  - 21. The media of claim 17, wherein the software is further operable when executed by the first computer system to, if the first communication packet is a connection-acknowledgement packet having a customization indicator with a value of 1, thenclose a connection between the first computer system and the third computer system;
    - andforward a previously received connection-initiating packet having a customization indicator with a value of 0 to the third computer system.
  - 22. The media of claim 17, wherein the bypass rule and the intercept rule each comprise a peer identifier, a destination Internet Protocol (IP) address, and a destination port.
  - 23. The media of claim 17, wherein the bypass rule and the intercept rule each comprise a source IP address, a source port, a destination IP address, and a destination port.
  - 24. The media of claim 17, wherein:
    - if the first communication packet is a connection-initiating packet having no customization indicator, then the first computer system establishes a transparent connection with a concentrator computer system; and
      
      if the first communication packet is a connection-acknowledgement packet having no customization indicator, then first computer system establishes a transparent connection with a branch computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Li, Qing, Huang, Yusheng
Primary Examiner(s)
CHRISS, ANDREW W
Assistant Examiner(s)
Reddy, Ajit

Application Number

US13/101,661
Publication Number

US 20120284416A1
Time in Patent Office

761 Days
Field of Search

None
US Class Current

709/228
CPC Class Codes

H04L 12/4633 Interconnection of networks...

H04L 65/1101 Session protocols

Establishing tunnels between selective endpoint devices along communication paths

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing tunnels between selective endpoint devices along communication paths

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links