Network node with network-attached stateless security offload device employing out-of-band processing
First Claim
Patent Images
1. A network node, comprising:
- a host information handling system (IHS) including an internal network interface controller;
a secure data link coupled to the host IHS;
a stateless network-attached external security offload device, coupled to the host IHS via the secure data link, the stateless network-attached external security offload device being external to the host IHS; and
the host IHS being configured to store security metadata that is associated with a data packet, the host IHS being further configured to offload the data packet and the associated security metadata and static security association (SA) information via the secure data link to the stateless network-attached external security offload device, thus providing an offloaded data packet;
the stateless network-attached external security offload device being configured to;
receive the offloaded data packet and the associated security metadata and the static security association (SA) information;
store the offloaded data packet and the static security association (SA) information;
encrypt and encapsulate the offloaded data packet thus providing an encapsulated encrypted data packet; and
transmit the encapsulated encrypted data packet back to the host IHS for further processing;
the host IHS being further configured to;
transmit the encapsulated encrypted data packet via the internal network interface controller of the host IHS to a communications network for communication to an IHS other than the host IHS.
1 Assignment
0 Petitions
Accused Products
Abstract
A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol.
-
Citations
9 Claims
-
1. A network node, comprising:
-
a host information handling system (IHS) including an internal network interface controller; a secure data link coupled to the host IHS; a stateless network-attached external security offload device, coupled to the host IHS via the secure data link, the stateless network-attached external security offload device being external to the host IHS; and the host IHS being configured to store security metadata that is associated with a data packet, the host IHS being further configured to offload the data packet and the associated security metadata and static security association (SA) information via the secure data link to the stateless network-attached external security offload device, thus providing an offloaded data packet; the stateless network-attached external security offload device being configured to; receive the offloaded data packet and the associated security metadata and the static security association (SA) information; store the offloaded data packet and the static security association (SA) information; encrypt and encapsulate the offloaded data packet thus providing an encapsulated encrypted data packet; and transmit the encapsulated encrypted data packet back to the host IHS for further processing; the host IHS being further configured to; transmit the encapsulated encrypted data packet via the internal network interface controller of the host IHS to a communications network for communication to an IHS other than the host IHS. - View Dependent Claims (2, 3, 4)
-
-
5. A network node, comprising:
-
a host information handling system (IHS) including an internal network interface controller; a secure data link coupled to the host IHS; a stateless network-attached external security offload device, coupled to the host IHS via the secure data link, the stateless network-attached external security offload device being external to the host IHS; and the host IHS being configured to; receive a data packet from a communications network via the internal interface controller, thus providing a received data packet; determine if the received data packet is an encapsulated encrypted data packet that requires security processing; forward the received data packet to an application in the host IHS for processing if the host IHS determines that the received data packet is not the encapsulated encrypted data packet that requires security processing; offload the received data packet and static security association (SA) information via the secure data link to the stateless network-attached external security offload device, thus providing an offloaded data packet and static security association (SA) information if the host IHS determines that the received data packet is the encapsulated encrypted data packet that requires security processing; the stateless network-attached external security offload device being configured to; receive the offloaded data packet and the static security association (SA) information; store the offloaded data packet and the static security association (SA) information; decapsulate and decrypt the offloaded data packet, thus providing a decapsulated decrypted data packet; and transmit, via the secure data link, the decapsulated decrypted data packet back to the host IHS for further processing by the application in the host IHS. - View Dependent Claims (6, 7, 8, 9)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsGearhart, Curtis Matthew, Meyer, Christopher, Moonen, Scott Christopher, Overby, Linwood Hugh Jr.
-
Primary Examiner(s)SHEHNI, GHAZAL B
-
Application NumberUS13/400,577Publication NumberTime in Patent Office1,036 DaysField of Search709238-244US Class Current713/153CPC Class CodesH04L 63/0428 wherein the data content is...H04L 63/0471 applying encryption by an i...H04L 63/0485 Networking architectures fo...
