Network node with network-attached stateless security offload device employing out-of-band processing

US 8,826,003 B2
Filed: 02/26/2013
Issued: 09/02/2014
Est. Priority Date: 02/21/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

storing, by a host information handling system (IHS), security metadata that is associated with a data packet;

determining, by the host IHS, if the data packet requires security processing;

providing, by the host IHS, the data packet to an internal network interface controller if the host IHS determines that the data packet does not require security processing, the internal network interface controller transmitting the data packet to a communications network for communication to an IHS other than the host IHS;

offloading, by the host IHS via a secure data link, the data packet and associated security metadata and static security association (SA) information to a stateless network-attached external security offload device if the host IHS determines that the data packet requires security processing, thus providing an offloaded data packet, the stateless network-attached external security offload device being external to the host IHS;

receiving, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information;

storing, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information;

encrypting and encapsulating, by the stateless network-attached external security offload device, the offloaded data packet, thus providing an encapsulated encrypted data packet;

transmitting, by the stateless network-attached external security offload device via the secure data link, the encapsulated encrypted data packet back to the host IHS for further processing; and

transmitting, by the internal network interface controller of the host IHS, the encapsulated encrypted data packet to a communications network for communication to an IHS other than the host IHS.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol.

Citations

10 Claims

1. A method, comprising:
- storing, by a host information handling system (IHS), security metadata that is associated with a data packet;
  
  determining, by the host IHS, if the data packet requires security processing;
  
  providing, by the host IHS, the data packet to an internal network interface controller if the host IHS determines that the data packet does not require security processing, the internal network interface controller transmitting the data packet to a communications network for communication to an IHS other than the host IHS;
  
  offloading, by the host IHS via a secure data link, the data packet and associated security metadata and static security association (SA) information to a stateless network-attached external security offload device if the host IHS determines that the data packet requires security processing, thus providing an offloaded data packet, the stateless network-attached external security offload device being external to the host IHS;
  
  receiving, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information;
  
  storing, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information;
  
  encrypting and encapsulating, by the stateless network-attached external security offload device, the offloaded data packet, thus providing an encapsulated encrypted data packet;
  
  transmitting, by the stateless network-attached external security offload device via the secure data link, the encapsulated encrypted data packet back to the host IHS for further processing; and
  
  transmitting, by the internal network interface controller of the host IHS, the encapsulated encrypted data packet to a communications network for communication to an IHS other than the host IHS.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising configuring the host IHS, secure data link, stateless network-attached external security offload device and external network interface controller to form a network node.
  - 3. The method of claim 1, wherein the external network interface controller is integrated within the stateless network-attached external security offload device.
  - 4. The method of claim 1, wherein the stateless network-attached external security offload device employs the IPsec protocol.
  - 5. The method of claim 1, wherein the encrypting and encapsulating of the data packet is performed by the stateless network-attached external security device as instructed by the associated security metadata that the host IHS transmits to the stateless network-attached external security device.

6. A method, comprising:
- receiving, by an internal network interface controller that is internal to a host information handling system (IHS), a data packet from a communications network, thus providing a received data packet,determining, by the host IHS, if the received data packet is an encapsulated encrypted data packet that requires security processing;
  
  forwarding, by the host IHS, the received data packet to an application in the host IHS for processing if the host IHS determines that the received data packet is not an encapsulated encrypted data packet that requires security processing;
  
  offloading, by the host IHS via a secure data link, the received data packet and static security association (SA) information thus providing an offloaded data packet and static security association (SA) information to a stateless network-attached external security offload device, if the host IHS determines that the received data packet is an encapsulated encrypted data packet that requires security processing, the stateless network-attached external security offload device being external to the host IHS;
  
  receiving, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information;
  
  storing, by the stateless network-attached external security offload device, the offloaded data packet and the static security association (SA) information;
  
  decapsulating and decrypting, by the stateless network-attached external security offload device, the offloaded data packet, thus providing a decapsulated decrypted data packet; and
  
  transmitting, by the stateless network-attached external security offload device via the secure data link, the decapsulated decrypted data packet back to the host IHS for further processing by the application in the host IHS.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, further comprising configuring the host IHS, secure data link and stateless network-attached external security offload device to form a network node.
  - 8. The method of claim 6, wherein the stateless network-attached external security offload device employs the IPsec protocol.
  - 9. The method of claim 6, further comprising adding, by the stateless network-attached external security offload device, security metadata to the decapsulated decrypted data packet.
  - 10. The method of claim 6, further comprising performing state checking, by the host IHS, for the decapsulated decrypted data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Gearhart, Curtis Matthew, Meyer, Christopher, Moonen, Scott Christopher, Overby, Linwood Hugh
Primary Examiner(s)
SHEHNI, GHAZAL B

Application Number

US13/778,050
Publication Number

US 20130219175A1
Time in Patent Office

553 Days
Field of Search

713/150, 709238-244
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/0485   Networking architectures fo...

Network node with network-attached stateless security offload device employing out-of-band processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Network node with network-attached stateless security offload device employing out-of-band processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links