System and method for secure cloud service delivery with prioritized services in a network environment

US 8,862,883 B2
Filed: 05/16/2012
Issued: 10/14/2014
Est. Priority Date: 05/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request for a cloud capability set during an Internet Key Exchange (IKE) negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises a plurality of cloud capabilities;

selecting a cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the selected cryptographic module can support the requested cloud capability set;

mapping the request to the selected cryptographic module that can support the cloud capability set;

offloading the VPN tunnel to the selected cryptographic module for processing flows over the VPN tunnel according to the request;

selecting another cryptographic module if the selected cryptographic module cannot support at least one of the cloud capabilities in the cloud capability set, wherein the selected cryptographic modules can collectively support the plurality of cloud capabilities in the cloud capability set; and

splitting the VPN tunnel between the selected cryptographic modules.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes receiving a request for a cloud capability set during an Internet Key Exchange negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities, mapping the request to one or more cryptographic modules that can support the cloud capability set, and offloading the VPN tunnel to the one or more cryptographic modules. The request can be an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload. The method may further include splitting the VPN tunnel between the cryptographic modules if no single cryptographic module can support substantially all the cloud capabilities in the cloud capability set. In some embodiments, the request is compared with a service catalog comprising authorized cloud capabilities.

Citations

18 Claims

1. A method, comprising:
- receiving a request for a cloud capability set during an Internet Key Exchange (IKE) negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises a plurality of cloud capabilities;
  
  selecting a cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the selected cryptographic module can support the requested cloud capability set;
  
  mapping the request to the selected cryptographic module that can support the cloud capability set;
  
  offloading the VPN tunnel to the selected cryptographic module for processing flows over the VPN tunnel according to the request;
  
  selecting another cryptographic module if the selected cryptographic module cannot support at least one of the cloud capabilities in the cloud capability set, wherein the selected cryptographic modules can collectively support the plurality of cloud capabilities in the cloud capability set; and
  
  splitting the VPN tunnel between the selected cryptographic modules.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving another request for another cloud capability set during another IKE negotiation associated with another VPN tunnel between another subscriber and the cloud, wherein the another cloud capability set is different from the cloud capability set;
      
      selecting another cryptographic module from the plurality of cryptographic modules, wherein the another cryptographic module can support the another cloud capability set;
      
      mapping the another request to the selected another cryptographic module; and
      
      offloading the another VPN tunnel to the selected another cryptographic module for processing flows over the another VPN tunnel according to the another request.
  - 3. The method of claim 1, wherein the request comprises an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload.
  - 4. The method of claim 1, wherein the request is received from a service catalog comprising authorized cloud capabilities derived from a service level agreement (SLA) between the subscriber and a cloud service provider managing the cloud.
  - 5. The method of claim 1, wherein the request is received from the subscriber.
  - 6. The method of claim 5, wherein the request is compared with a service catalog comprising authorized cloud capabilities derived from a SLA between the subscriber and a cloud service provider managing the cloud, the method further comprising:
    - denying the request if at least one cloud capability in the cloud capability set does not match any of the authorized cloud capabilities.
  - 7. The method of claim 1, wherein each cloud capability is a selected one of a group of cloud capabilities, the group consisting of:
    - (a) a capability to support different multicast encryption schemes,(b) a capability to encrypt Layer 2 tunneling protocol (L2TP) version 2, and L2TPv3 tunnels,(c) a capability to encrypt Generic Routing Encapsulation tunnels,(d) a capability to encrypt IPv6 traffic,(e) a capability to provide different quality of service for Internet Protocol security (IPsec),(f) a capability to support different VPN technologies including EzVPN, dynamic multipoint VPN, and group encrypted transport VPN,(g) a capability to support IKEv2,(h) a capability to support mobility including mobile VPN client and home agent/foreign agent,(i) a capability to support Lempel-Ziv-Stac compression before encryption,(j) a capability to support data encryption standards (DES)/Triple DES (3DES)/Advanced Encryption Standard 256,(h) a capability to support hot standby routing protocol, and(k) a capability to support IPsec with network/port address translation.

8. An apparatus, comprising:
- a memory configured to store data; and
  
  a processor operable to execute instructions associated with the data, wherein the processor and the memory cooperate, such that the apparatus is configured for;
  
  receiving a request for a cloud capability set during an IKE negotiation associated with a VPN tunnel between a subscriber and a cloud, wherein the cloud capability set comprises a plurality of cloud capabilities;
  
  selecting a cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the selected cryptographic module can support the requested cloud capability set;
  
  mapping the request to the selected cryptographic module that can support the cloud capability set;
  
  offloading the VPN tunnel to the selected cryptographic module for processing flows over the VPN tunnel according to the request;
  
  selecting another cryptographic module if the selected cryptographic module cannot support at least one of the cloud capabilities in the cloud capability set, wherein the selected cryptographic modules can collectively support all the cloud capabilities in the cloud capability set; and
  
  splitting the VPN tunnel between the selected cryptographic modules.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The apparatus of claim 8, wherein the request comprises an ISAKMP packet listing the one or more cloud capabilities in a private payload.
  - 10. The apparatus of claim 8, wherein the request is received from a service catalog comprising authorized cloud capabilities derived from a service level agreement (SLA) between the subscriber and a cloud service provider managing the cloud.
  - 11. The apparatus of claim 8, wherein the request is received from the subscriber.
  - 12. The apparatus of claim 8, further configured for:
    - receiving another request for another cloud capability set during another IKE negotiation associated with another VPN tunnel between another subscriber and the cloud, wherein the another cloud capability set is different from the cloud capability set;
      
      selecting another cryptographic module from the plurality of cryptographic modules, wherein the another cryptographic module can support the another cloud capability set;
      
      mapping the another request to the selected another cryptographic module; and
      
      offloading the another VPN tunnel to the selected another cryptographic module for processing flows over the another VPN tunnel according to the another request.

13. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations, comprising:
- receiving a request for a cloud capability set during an IKE negotiation associated with a VPN tunnel between a subscriber and a cloud, wherein the cloud capability set comprises a plurality of cloud capabilities;
  
  selecting a cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the selected cryptographic module can support the requested cloud capability set;
  
  mapping the request to the selected cryptographic module that can support the cloud capability set;
  
  offloading the VPN tunnel to the selected cryptographic module for processing flows over the VPN tunnel according to the request;
  
  selecting another cryptographic module if the selected cryptographic module cannot support at least one of the cloud capabilities in the cloud capability set, wherein the selected cryptographic modules can collectively support all the cloud capabilities in the cloud capability set; and
  
  splitting the VPN tunnel between the selected cryptographic modules.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The logic of claim 13, wherein the request comprises an ISAKMP packet listing the one or more cloud capabilities in a private payload.
  - 15. The logic of claim 13, wherein the request is received from a service catalog comprising authorized cloud capabilities derived from a service level agreement (SLA) between the subscriber and a cloud service provider managing the cloud.
  - 16. The logic of claim 13, wherein the request is received from the subscriber.
  - 17. The logic of claim 13, the operations further comprising:
    - receiving another request for another cloud capability set during another IKE negotiation associated with another VPN tunnel between another subscriber and the cloud, wherein the another cloud capability set is different from the cloud capability set;
      
      selecting another cryptographic module from the plurality of cryptographic modules, wherein the another cryptographic module can support the another cloud capability set;
      
      mapping the another request to the selected another cryptographic module; and
      
      offloading the another VPN tunnel to the selected another cryptographic module for processing flows over the another VPN tunnel according to the another request.

18. A method, comprising:
- receiving a first request for a first cloud capability set during a first IKE negotiation associated with a first VPN tunnel between a first subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities;
  
  receiving a second request for a second cloud capability set during a second IKE negotiation associated with a second VPN tunnel between a second subscriber and the cloud, wherein the second cloud capability set is different from the first cloud capability set;
  
  selecting a first cryptographic module and a second cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the first cryptographic module can support the first cloud capability set and the second cryptographic module can support the second cloud capability set;
  
  mapping the first request to the first cryptographic module and the second request to the second cryptographic module;
  
  offloading the first VPN tunnel to the first cryptographic module and the second VPN tunnel to the second cryptographic module for processing flows over the corresponding first and second VPN tunnels according to the respective first and second requests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cherukuri, Sunil, Khalid, Mohamed, Cinque, Brian
Primary Examiner(s)
Patel, Nirav B

Application Number

US13/473,418
Publication Number

US 20130311778A1
Time in Patent Office

881 Days
Field of Search

713/170, 713/171, 713/151, 726 11- 15, 726/4, 380/277, 380/278, 718/105
US Class Current

713/171
CPC Class Codes

H04L 41/0803   Configuration setting

H04L 63/0272   Virtual private networks

H04L 67/1001   for accessing one among a p...

H04L 9/0838   Key agreement, i.e. key est...

System and method for secure cloud service delivery with prioritized services in a network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure cloud service delivery with prioritized services in a network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links