Tuning of SSL session caches based on SSL session IDS

US 8,484,361 B1
Filed: 01/26/2012
Issued: 07/09/2013
Est. Priority Date: 02/26/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A method for managing a network communication, comprising:

executing on one or more processors, actions including;

receiving a Secured Socket Layer (SSL) session identifier (ID) within an SSL handshake protocol message for establishing an SSL connection;

performing a reversible exclusive-or operation on the SSL session ID with a pre-determined ID associated with a network device to generate an other ID, wherein the other ID comprises a plurality of information associated with an operation for caching the SSL session ID and other information usable for re-establishing an SSL session;

determining, based on at least a portion of the other ID, a failure statistic associated with re-establishing the SSL session for the SSL connection; and

tuning the operation for caching based on the failure statistic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus are directed towards managing a network communication. A Secured Socket Layer (SSL) session identifier (ID) is received within an SSL handshake protocol message for establishing an SSL connection. The SSL session ID is combined with a pre-determined ID associated with a network device to generate another ID. The other ID may comprise a plurality of information associated with an operation for caching the SSL session ID and/or for caching other information usable in re-establishing an SSL session over the SSL connection. The plurality of information may comprise an expiration time, a cache line, a cache ID, and a unique ID. Based on at least a portion of the other ID, a failure statistic associated with re-establishing the SSL session for the SSL connection is determined. A session cache and/or the operation for caching are tuned based on the failure statistic.

Citations

14 Claims

1. A method for managing a network communication, comprising:
- executing on one or more processors, actions including;
  
  receiving a Secured Socket Layer (SSL) session identifier (ID) within an SSL handshake protocol message for establishing an SSL connection;
  
  performing a reversible exclusive-or operation on the SSL session ID with a pre-determined ID associated with a network device to generate an other ID, wherein the other ID comprises a plurality of information associated with an operation for caching the SSL session ID and other information usable for re-establishing an SSL session;
  
  determining, based on at least a portion of the other ID, a failure statistic associated with re-establishing the SSL session for the SSL connection; and
  
  tuning the operation for caching based on the failure statistic.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein tuning comprises:
    - modifying at least one of a maximum cache size, an expiration time window for generating a new expiration time, or a number of cache lookup tables.
  - 3. The method of claim 1, wherein executing on one or more processors, the following actions, further comprising:
    - re-establishing the SSL session over the SSL connection based at least in part on the other ID.
  - 4. The method of claim 1, wherein the other ID includes a plurality of different portions of bits, the different portions representing at one of an expiration time, a cache line, or a cache ID.
  - 5. The method of claim 1, wherein the failure statistic is further based on a comparison of the other ID to a generated ID to determine whether the other ID is valid at least to enable re-establishing of an SSL session, or whether the SSL session ID is counterfeit based in part on a comparison of a threshold value to a portion of the other ID.
  - 6. The method of claim 1, wherein when it is determined that that the other ID is invalid for re-establishing the SSL session, generating a new SSL session ID.

7. A network communication management system comprising:
- a memory that stores executable instructions, which when executed, manages a secure socket layer (SSL) session cache; and
  
  a processor that executes the stored machine executable instructions to manage the SSL session cache by performing actions including;
  
  generating an SSL session identifier for an SSL session within an SSL connection by performing a reversible exclusive-or operation using a first identifier and a second identifier as operands, at least a portion of the first identifier including SSL session information that can be used for of determining a failure statistic associated with re-establishing the SSL session; and
  
  sending or receiving the SSL session identifier during at least one SSL handshake to establish or re-establish the SSL session.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The network communication management system of claim 7, wherein the processor executes the stored machine executable instructions to manage the SSL session cache by performing additional actions comprising:
    - tuning the SSL session cache based on the failure statistic generated for the SSL session by adjusting at least one of either a number of cache lookup tables used, cache lookup table sizes, SSL session expiration times, time-to-live parameters, or any other SSL session cache parameter.
  - 9. The network communication management system of claim 7, wherein the processor performs additional actions, comprising:
    - receiving an other ID;
      
      performing the reversible exclusive-or operation on the other ID with the second identifier; and
      
      when the reversible exclusive-or operation on the other ID fails to generate the first identifier useable to re-establishing the SSL session, generating a new session identifier to be used in establishing a new session.
  - 10. The network communication management system of claim 7, wherein the first identifier includes a plurality of bits, wherein different bits are used to identify at least two of a cache line, a unique ID, a cache ID, or an expiration time.
  - 11. The network communication management system of claim 7, wherein determining a failure statistic comprises:
    - performing the reversible exclusive-or operation using the SSL session identifier and a second identifier as operands to generate an other ID;
      
      examining bits within the other ID to identify a cache ID; and
      
      when the identified cache ID is determined to be unassociated with a cache lookup table, indicating that the other ID is counterfeit.
  - 12. The network communication management system of claim 7, wherein determining a failure statistic comprises:
    - performing the reversible exclusive-or operation using the SSL session identifier and a second identifier as operands to generate an other ID;
      
      examining bits within the other ID to identify a cache line; and
      
      when the cache line greater that a maximum cache line, indicating that the other ID is counterfeit.
  - 13. The network communication management system of claim 7, wherein determining a failure statistic comprises:
    - performing the reversible exclusive-or operation using the SSL session identifier and a second identifier as operands to generate an other ID;
      
      examining bits within the other ID to identify an expiration time; and
      
      when the expiration time is determined to be less than an other time, indicating that the other ID is counterfeit.
  - 14. The network communication management system of claim 7, wherein the failure statistic is used to tune at least one characteristic of a cache used for storing information used to manage SSL sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Hawthorne, Jonathan Mini
Primary Examiner(s)
Lazaro, David
Assistant Examiner(s)
KOROBOV, VITALI A

Application Number

US13/359,432
Time in Patent Office

530 Days
Field of Search

709/205, 709/217, 709/223, 709/227, 709/228, 709/238, 726/5, 713/150
US Class Current

709/228
CPC Class Codes

H04L 63/166 at the transport layer

Tuning of SSL session caches based on SSL session IDS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Tuning of SSL session caches based on SSL session IDS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links