Methods and devices for packet tagging using IP indexing via dynamic-length prefix code

US 8,615,655 B2
Filed: 01/22/2009
Issued: 12/24/2013
Est. Priority Date: 01/22/2009
Status: Active Grant

First Claim

Patent Images

1. A method for packet tagging, the method comprising the steps of:

obtaining, by a sender module, a sender identity for a sender of said IP packet, upon sending an internet-protocol (IP) packet;

tagging, by said sender module, said IP packet with said sender identity, to enable a receiver to authenticate the sender identity after receiving said IP packet, wherein said IP packet includes a plurality of fixed-length fields, wherein two of said fixed-length fields are concatenated into a single fixed-length virtual field, wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint, and wherein tagging is performed using an identification field and a time-to-live (TTL) field; and

prior to said step of tagging, dynamically partitioning, by said sender module, said virtual field between said cryptographic hash and said identity index, to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints, and wherein the said partitioning is effected in response to a change in a number of multiple distinct identities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.

27 Citations

18 Claims

1. A method for packet tagging, the method comprising the steps of:
- obtaining, by a sender module, a sender identity for a sender of said IP packet, upon sending an internet-protocol (IP) packet;
  
  tagging, by said sender module, said IP packet with said sender identity, to enable a receiver to authenticate the sender identity after receiving said IP packet, wherein said IP packet includes a plurality of fixed-length fields, wherein two of said fixed-length fields are concatenated into a single fixed-length virtual field, wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint, and wherein tagging is performed using an identification field and a time-to-live (TTL) field; and
  
  prior to said step of tagging, dynamically partitioning, by said sender module, said virtual field between said cryptographic hash and said identity index, to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints, and wherein the said partitioning is effected in response to a change in a number of multiple distinct identities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said step of partitioning includes dynamically re-assigning said multiple distinct identities to entities on said IP endpoint.
  - 3. The method of claim 1, wherein said step of obtaining includes:
    - (i) accessing, by said sender module, a server for obtaining said sender identity; and
      
      (ii) associating, by said server, said sender identity with said IP endpoint.
  - 4. The method of claim 3, wherein said associating is performed using a prefix code for encoding said multiple distinct identities.
  - 5. The method of claim 4, wherein no code word of said prefix code is a prefix of any other code word of said prefix code.
  - 6. The method of claim 1, wherein said sender module is a component of a device selected from the group consisting of:
    - a gateway and an IP endpoint.
  - 7. The method of claim 1, further comprising the steps of:
    - (d) determining, by a receiver module, said sender identity by extracting said sender identity from said IP packet;
      
      (e) checking, by said receiver module, said IP packet to ensure said IP packet has been appropriately tagged; and
      
      (f) enforcing a security policy, by said receiver module, according to said sender identity.
  - 8. The method of claim 7, wherein said receiver module is a component of a device selected from the group consisting of:
    - a gateway and an IP endpoint.
  - 9. The method of claim 1, wherein said identity index is separate from said cryptographic hash.

10. A non-transitory computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code comprising:
- program code for obtaining, by a sender module, a sender identity for a sender of said IP packet, upon sending an internet-protocol (IP) packet;
  
  program code for securely tagging, by said sender module, said IP packet with said sender identity, to enable a receiver to authenticate the sender identity after receiving said IP packet, wherein said IP packet includes a plurality of fixed-length fields, wherein two of said fixed-length fields are concatenated into a single fixed-length virtual field, wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint, and wherein tagging is performed using an identification field and a time-to-live (TTL) field; and
  
  program code for, prior to said step of tagging, dynamically partitioning, by said sender module, said virtual field between said cryptographic hash and said identity index, to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints, and wherein the said partitioning is effected in response to a change in a number of multiple distinct identities.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The storage medium of claim 10, wherein said program code for partitioning includes program code for dynamically re-assigning said multiple distinct identities to entities on said IP endpoint.
  - 12. The storage medium of claim 10, wherein said program code for obtaining includes:
    - (i) program code for accessing, by said sender module, a server for obtaining said sender identity; and
      
      (ii) program code for associating, by said server, said sender identity with said IP endpoint.
  - 13. The storage medium of claim 12, wherein said program code for associating is operative using a prefix code for encoding said multiple distinct identities.
  - 14. The storage medium of claim 13, wherein no code word of said prefix code is a prefix of any other code word of said prefix code.
  - 15. The storage medium of claim 10, wherein said sender module is a component of a device selected from the group consisting of:
    - a gateway and an IP endpoint.
  - 16. The storage medium of claim 10, the computer-readable code further comprising:
    - (d) program code for determining, by a receiver module, said sender identity by extracting said sender identity from said IP packet;
      
      (e) program code for checking, by said receiver module, said IP packet to ensure said IP packet has been appropriately tagged; and
      
      (f) program code for enforcing a security policy, by said receiver module, according to said sender identity.
  - 17. The storage medium of claim 16, wherein said receiver module is a component of a device selected from the group consisting of:
    - a gateway and an IP endpoint.
  - 18. The storage medium of claim 10, wherein said identity index is separate from said cryptographic hash.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
Shua, Avi
Primary Examiner(s)
PHAM, LUU T

Application Number

US12/357,434
Publication Number

US 20100183014A1
Time in Patent Office

1,797 Days
Field of Search

726/3
US Class Current

713/160
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

H04L 9/3236   using cryptographic hash fu...

Methods and devices for packet tagging using IP indexing via dynamic-length prefix code

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Methods and devices for packet tagging using IP indexing via dynamic-length prefix code

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others