Method and apparatus for anonymous IP datagram exchange using dynamic network address translation

US 8,549,285 B2
Filed: 06/14/2010
Issued: 10/01/2013
Est. Priority Date: 03/21/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

receiving a datagram at a network device, the datagram having a first header;

determining, by the network device, a next-hop network element to which the datagram will be forwarded;

determining, by the network device, a unique next-hop identifier in accordance with a next-hop address associated with the next-hop network element;

generating, by the network device, a broadcast address in accordance with the next-hop address;

including, by the network device, the unique next-hop identifier in the first header;

encrypting, by the network device, a plurality of identifying portions of the first header, including the unique next hop identifier;

encapsulating, by the network device, the datagram with a second header whose address is set to the broadcast address; and

transmitting, by the network device, the datagram according to the broadcast address.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, system and computer program are provided for concealing the identity of a network device transmitting a datagram having a network layer header. A unique local identifier and broadcast address are determined in accordance with a next-hop address. A partially encrypted network layer header is determined by encrypting a plurality of identifying portions of the network layer header, where one portion of the network layer header is the unique local identifier. The datagram is encapsulated with another network layer header whose address is set to the broadcast address. The encapsulated datagram can be received and detunneled, and an address of a recipient can be extracted from the network layer header. The datagram is then admitted into a network domain.

Citations

10 Claims

1. A method comprising:
- receiving a datagram at a network device, the datagram having a first header;
  
  determining, by the network device, a next-hop network element to which the datagram will be forwarded;
  
  determining, by the network device, a unique next-hop identifier in accordance with a next-hop address associated with the next-hop network element;
  
  generating, by the network device, a broadcast address in accordance with the next-hop address;
  
  including, by the network device, the unique next-hop identifier in the first header;
  
  encrypting, by the network device, a plurality of identifying portions of the first header, including the unique next hop identifier;
  
  encapsulating, by the network device, the datagram with a second header whose address is set to the broadcast address; and
  
  transmitting, by the network device, the datagram according to the broadcast address.

2. A method, comprising:
- providing in a network, by operation of a computer, an IP datagram including a first header; and
  
  anonymously exchanging, by operation of said computer, said datagram from a sending node to an intended recipient node in said network, by;
  
  wrapping said datagram inside another routable, datagram having a second header;
  
  setting the destination address of said second header to a broadcast address of a subnet of said network, nodes of said subnet including said recipient node;
  
  transmitting said another routable datagram via said broadcast address;
  
  said nodes of said subnet including said intended recipient node receiving said another mutable datagram; and
  
  said intended recipient node accessing said datagram inside said another routable datagram.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
- - 3. The method of claim 2 further comprising:
    - providing a setup for said nodes of said subnet including said recipient node, by;
      
      assigning a host and a router to designated subnets;
      
      providing true IP addresses to said host and said router;
      
      assigning a unique local address to each network interface of each of said nodes;
      
      configuring network cards of said host with keys belonging to other hosts in a local AUD domain and with an AUD router key corresponding to the network interface connected to said local AUD domain;
      
      providing said router with said keys indexed by a unique local address of each host;
      
      creating a unique random initialization vector for each said host and said router and distributing said vector to said hosts for use as an index counter to control encryption properties and reduce likelihood of collisions; and
      
      providing each said host with an IP address of its respective default AUD router.
  - 4. The method of claim 2 further comprising:
    - determining if said sending node and said recipient node are in a same AUD domain;
      
      if in the same AUD domain, setting next hop address to IP address of said intended recipient;
      
      if not in the same AUD domain, consulting a routing table and setting said next-hop address to IP address of router obtained from said routing table;
      
      if said next hop address is not an AUD endpoint, using a proxy mode to emit a data link-layer frame; and
      
      if said next hop address is an AUD endpoint, creating a tunneled datagram to achieve said datagram inside of said another mutable datagram and emit said data link-layer frame after said setting the destination link-layer address to said broadcast address.
  - 5. The method of claim 4 wherein said IP datagram is an original IP datagram with recipient IP address specified in said first header and wherein said creating a tunneled datagram further comprises:
    - computing, a unique local identifier for said next hop address to obtain a unique next-hop identifier (UNHI);
      
      adding said UNHI into an IP options field of said original IP datagram;
      
      said sending node looking-up appropriate encryption key using said UNHI;
      
      encrypting portions of said first header, an IP options field and headers of said datagram in OSI transport and session layers, using said encryption key to obtain an obfuscated datagram header;
      
      determining if said router is in a local domain andif so, setting destination of IP address to a local broadcast address, andif not, setting destination of said IP address to a broadcast address of said router;
      
      creating an encapsulating datagram as said another routable datagram;
      
      setting the encapsulating source IP address to a completely random value for said subnet;
      
      encapsulating said obfuscated datagram;
      
      setting a next protocol field in said broadcast Datagram to type IP; and
      
      appending said obfuscated datagram to the encapsulating datagram header.
  - 6. The method of claim 2 wherein said receiving said another mutable datagram further comprises:
    - said nodes of said subnet including said sending node and said intended recipient node each receiving a data-link layer frame having, a broadcast IP header followed by an obfuscated IP datagram; and
      
      said sending node choosing to discard its received said data-link layer frame leaving all other of said nodes as receptive data-link layer frame nodes.
  - 7. The method of claim 6 wherein said accessing said datagram inside said another routable datagram comprises:
    - said receptive data-link layer frame nodes decrypting an obfuscated IP header using respective individual keys to obtain a decrypted IP header address;
      
      each of said receptive data-link layer frame nodes determining whether said decrypted IP header address matches its true IP address and if a decrypted unique local identifier in an IP options field matches its unique local identifier; and
      
      if said IP address match determination is affirmative and said unique local identifier match determination is affirmative,decapsulating said datagram,decrypting remainder of said obsfucated datagram, andforwarding said decrypted remainder for standard processing.
  - 8. The method of claim 7 further comprising:
    - if said IP address match determination is not affirmative and said unique local identifier match determination is affirmative,further determining if the subnet of the node with the destination address matches a subnet to which the host is connected and, if so, forwarding, the datagram to an appropriate network interface for said host.
  - 9. The method of claim 8 further comprising:
    - if results of said further determining are not affirmative, dropping said datagram.
  - 10. The method of claim 7 further comprising:
    - if said IP address match determination is not affirmative and said unique local identifier match determination is not affirmative, dropping said datagram.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Francisco Partners Management LLC), Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Raytheon BBN Technologies Corp. (Rtx Corporation), Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
Bubnis, Edward A. Jr., Keller, Thomas E., Fink, Russell A.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US12/814,624
Publication Number

US 20120117376A1
Time in Patent Office

1,205 Days
Field of Search

713/160, 713/161, 713/162, 713/163, 713/153
US Class Current

713/162
CPC Class Codes

H04L 61/2539   Hiding addresses; Keeping a...

H04L 63/0407   wherein the identity of one...

H04L 63/1466   Active attacks involving in...

H04L 69/22   Parsing or analysis of headers

Method and apparatus for anonymous IP datagram exchange using dynamic network address translation

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for anonymous IP datagram exchange using dynamic network address translation

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links