System and method for secure cloud service delivery with prioritized services in a network environment
First Claim
1. A method, comprising:
- receiving a request for a cloud capability set during an Internet Key Exchange (IKE) negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises a plurality of cloud capabilities;
selecting a cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the selected cryptographic module can support the requested cloud capability set;
mapping the request to the selected cryptographic module that can support the cloud capability set;
offloading the VPN tunnel to the selected cryptographic module for processing flows over the VPN tunnel according to the request;
selecting another cryptographic module if the selected cryptographic module cannot support at least one of the cloud capabilities in the cloud capability set, wherein the selected cryptographic modules can collectively support the plurality of cloud capabilities in the cloud capability set; and
splitting the VPN tunnel between the selected cryptographic modules.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method includes receiving a request for a cloud capability set during an Internet Key Exchange negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities, mapping the request to one or more cryptographic modules that can support the cloud capability set, and offloading the VPN tunnel to the one or more cryptographic modules. The request can be an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload. The method may further include splitting the VPN tunnel between the cryptographic modules if no single cryptographic module can support substantially all the cloud capabilities in the cloud capability set. In some embodiments, the request is compared with a service catalog comprising authorized cloud capabilities.
-
Citations
18 Claims
-
1. A method, comprising:
-
receiving a request for a cloud capability set during an Internet Key Exchange (IKE) negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises a plurality of cloud capabilities; selecting a cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the selected cryptographic module can support the requested cloud capability set; mapping the request to the selected cryptographic module that can support the cloud capability set; offloading the VPN tunnel to the selected cryptographic module for processing flows over the VPN tunnel according to the request; selecting another cryptographic module if the selected cryptographic module cannot support at least one of the cloud capabilities in the cloud capability set, wherein the selected cryptographic modules can collectively support the plurality of cloud capabilities in the cloud capability set; and splitting the VPN tunnel between the selected cryptographic modules. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus, comprising:
-
a memory configured to store data; and a processor operable to execute instructions associated with the data, wherein the processor and the memory cooperate, such that the apparatus is configured for; receiving a request for a cloud capability set during an IKE negotiation associated with a VPN tunnel between a subscriber and a cloud, wherein the cloud capability set comprises a plurality of cloud capabilities; selecting a cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the selected cryptographic module can support the requested cloud capability set; mapping the request to the selected cryptographic module that can support the cloud capability set; offloading the VPN tunnel to the selected cryptographic module for processing flows over the VPN tunnel according to the request; selecting another cryptographic module if the selected cryptographic module cannot support at least one of the cloud capabilities in the cloud capability set, wherein the selected cryptographic modules can collectively support all the cloud capabilities in the cloud capability set; and splitting the VPN tunnel between the selected cryptographic modules. - View Dependent Claims (9, 10, 11, 12)
-
-
13. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations, comprising:
-
receiving a request for a cloud capability set during an IKE negotiation associated with a VPN tunnel between a subscriber and a cloud, wherein the cloud capability set comprises a plurality of cloud capabilities; selecting a cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the selected cryptographic module can support the requested cloud capability set; mapping the request to the selected cryptographic module that can support the cloud capability set; offloading the VPN tunnel to the selected cryptographic module for processing flows over the VPN tunnel according to the request; selecting another cryptographic module if the selected cryptographic module cannot support at least one of the cloud capabilities in the cloud capability set, wherein the selected cryptographic modules can collectively support all the cloud capabilities in the cloud capability set; and splitting the VPN tunnel between the selected cryptographic modules. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A method, comprising:
-
receiving a first request for a first cloud capability set during a first IKE negotiation associated with a first VPN tunnel between a first subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities; receiving a second request for a second cloud capability set during a second IKE negotiation associated with a second VPN tunnel between a second subscriber and the cloud, wherein the second cloud capability set is different from the first cloud capability set; selecting a first cryptographic module and a second cryptographic module from a plurality of cryptographic modules located in the cloud, wherein different cryptographic modules support different cloud capability sets, wherein the first cryptographic module can support the first cloud capability set and the second cryptographic module can support the second cloud capability set; mapping the first request to the first cryptographic module and the second request to the second cryptographic module; offloading the first VPN tunnel to the first cryptographic module and the second VPN tunnel to the second cryptographic module for processing flows over the corresponding first and second VPN tunnels according to the respective first and second requests.
-
Specification