Network node with network-attached stateless security offload device employing out-of-band processing
First Claim
1. A method, comprising:
- storing, by a host information handling system (IHS), security metadata that is associated with a data packet;
determining, by the host IHS, if the data packet requires security processing;
providing, by the host IHS, the data packet to an internal network interface controller if the host IHS determines that the data packet does not require security processing, the internal network interface controller transmitting the data packet to a communications network for communication to an IHS other than the host IHS;
offloading, by the host IHS via a secure data link, the data packet and associated security metadata and static security association (SA) information to a stateless network-attached external security offload device if the host IHS determines that the data packet requires security processing, thus providing an offloaded data packet, the stateless network-attached external security offload device being external to the host IHS;
receiving, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information;
storing, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information;
encrypting and encapsulating, by the stateless network-attached external security offload device, the offloaded data packet, thus providing an encapsulated encrypted data packet;
transmitting, by the stateless network-attached external security offload device via the secure data link, the encapsulated encrypted data packet back to the host IHS for further processing; and
transmitting, by the internal network interface controller of the host IHS, the encapsulated encrypted data packet to a communications network for communication to an IHS other than the host IHS.
1 Assignment
0 Petitions
Accused Products
Abstract
A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol.
-
Citations
10 Claims
-
1. A method, comprising:
-
storing, by a host information handling system (IHS), security metadata that is associated with a data packet; determining, by the host IHS, if the data packet requires security processing; providing, by the host IHS, the data packet to an internal network interface controller if the host IHS determines that the data packet does not require security processing, the internal network interface controller transmitting the data packet to a communications network for communication to an IHS other than the host IHS; offloading, by the host IHS via a secure data link, the data packet and associated security metadata and static security association (SA) information to a stateless network-attached external security offload device if the host IHS determines that the data packet requires security processing, thus providing an offloaded data packet, the stateless network-attached external security offload device being external to the host IHS; receiving, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information; storing, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information; encrypting and encapsulating, by the stateless network-attached external security offload device, the offloaded data packet, thus providing an encapsulated encrypted data packet; transmitting, by the stateless network-attached external security offload device via the secure data link, the encapsulated encrypted data packet back to the host IHS for further processing; and transmitting, by the internal network interface controller of the host IHS, the encapsulated encrypted data packet to a communications network for communication to an IHS other than the host IHS. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method, comprising:
-
receiving, by an internal network interface controller that is internal to a host information handling system (IHS), a data packet from a communications network, thus providing a received data packet, determining, by the host IHS, if the received data packet is an encapsulated encrypted data packet that requires security processing; forwarding, by the host IHS, the received data packet to an application in the host IHS for processing if the host IHS determines that the received data packet is not an encapsulated encrypted data packet that requires security processing; offloading, by the host IHS via a secure data link, the received data packet and static security association (SA) information thus providing an offloaded data packet and static security association (SA) information to a stateless network-attached external security offload device, if the host IHS determines that the received data packet is an encapsulated encrypted data packet that requires security processing, the stateless network-attached external security offload device being external to the host IHS; receiving, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information; storing, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information; decapsulating and decrypting, by the stateless network-attached external security offload device, the offloaded data packet, thus providing a decapsulated decrypted data packet; and transmitting, by the stateless network-attached external security offload device via the secure data link, the decapsulated decrypted data packet back to the host IHS for further processing by the application in the host IHS. - View Dependent Claims (7, 8, 9, 10)
-
Specification