Delayed network protocol proxy for packet inspection in a network

US 9,118,717 B2
Filed: 02/18/2005
Issued: 08/25/2015
Est. Priority Date: 02/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:

receiving, at the intermediary device, a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;

the intermediary device storing one or more of the TCP parameters in a connection block data structure, wherein the one or more TCP parameters include at least one of a) maximum segment size;

b) window scale factor;

c) a first flag that indicates whether time stamping will be used;

or d) a second flag that indicates whether selective acknowledgement will be used;

the intermediary device sending the TCP SYN/ACK packet toward the first entity;

based on the one or more TCP parameters that are stored in the connection block data structure, the intermediary device creating a first TCP endpoint of a first TCP connection to the first entity; and

based on the one or more TCP parameters that are stored in the connection block data structure, the intermediary device creating a second TCP endpoint of a second TCP connection to the second entity;

using the intermediary device, creating a proxied TCP connection between the first entity and the second entity without negotiating TCP parameters with the first entity or the second entity, wherein the proxied TCP connection comprises the first TCP endpoint and the second TCP endpoint;

in response to a data packet passing through the original connection, replacing the original connection with the proxied connection;

the intermediary device accumulating a plurality of packets received via one of the first or second TCP endpoints, sending a corresponding TCP ACK packet for each of the plurality of packets on behalf of one of the first entity or second entity, and before forwarding the plurality of packets, assembling portions of the plurality of packets to form a message and inspecting the message;

wherein the intermediary device comprises a computer system positioned between the two communicating entities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediary device, which behaves as a proxy for two entities after the entities have established a connection between themselves, is disclosed, as is a method that may be performed by such a device. The intermediary device can inspect a complete message, whose parts may be spread among multiple separate packets, without engaging in handshake phases with the message'"'"'s origin or destination. As a first entity negotiates connection parameters with a second entity, the intermediary device stores the connection parameters as the parameters flow through the intermediary device. After the two entities have established an original connection, the intermediary device uses the intercepted parameters to form two separate connections in the place of the original connection: one between the intermediary device and the first entity, and another between the intermediary device and the second entity. To the entities, the newly formed connections appear to be same as the original connection.

51 Citations

View as Search Results

20 Claims

1. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:
- receiving, at the intermediary device, a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
  
  the intermediary device storing one or more of the TCP parameters in a connection block data structure, wherein the one or more TCP parameters include at least one of a) maximum segment size;
  
  b) window scale factor;
  
  c) a first flag that indicates whether time stamping will be used;
  
  or d) a second flag that indicates whether selective acknowledgement will be used;
  
  the intermediary device sending the TCP SYN/ACK packet toward the first entity;
  
  based on the one or more TCP parameters that are stored in the connection block data structure, the intermediary device creating a first TCP endpoint of a first TCP connection to the first entity; and
  
  based on the one or more TCP parameters that are stored in the connection block data structure, the intermediary device creating a second TCP endpoint of a second TCP connection to the second entity;
  
  using the intermediary device, creating a proxied TCP connection between the first entity and the second entity without negotiating TCP parameters with the first entity or the second entity, wherein the proxied TCP connection comprises the first TCP endpoint and the second TCP endpoint;
  
  in response to a data packet passing through the original connection, replacing the original connection with the proxied connection;
  
  the intermediary device accumulating a plurality of packets received via one of the first or second TCP endpoints, sending a corresponding TCP ACK packet for each of the plurality of packets on behalf of one of the first entity or second entity, and before forwarding the plurality of packets, assembling portions of the plurality of packets to form a message and inspecting the message;
  
  wherein the intermediary device comprises a computer system positioned between the two communicating entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as recited in claim 1, wherein the step of creating the first TCP endpoint comprises creating the first TCP endpoint based on one or more TCP parameters that are indicated in the data packet, wherein the data packet was sent by the first entity toward the second entity over the original TCP connection.
  - 3. A method as recited in claim 2, wherein the data packet does not indicate the one or more TCP parameters that are stored in the connection block data structure.
  - 4. A method as recited in claim 2, wherein the data packet is not a TCP SYN packet or a TCP SYN/ACK packet.
  - 5. A method as recited in claim 1, wherein the step of creating the first TCP endpoint comprises creating the first TCP endpoint without negotiating TCP parameters with the first entity.
  - 6. A method as recited in claim 1, wherein a maximum segment size is among the one or more TCP parameters that is indicated in the TCP SYN/ACK packet and stored in the connection block data structure.
  - 7. A method as recited in claim 1, wherein a window scaling factor is among the one or more TCP parameters that is indicated in the TCP SYN/ACK packet and stored in the connection block data structure.
  - 8. A method as recited in claim 1, the method further comprising:
    - receiving a data packet at the first TCP endpoint; and
      
      in response to receiving the data packet at the first TCP endpoint, sending the data packet through the second TCP endpoint.
  - 9. A method as recited in claim 1, the method further comprising:
    - receiving a data packet at the first TCP endpoint;
      
      modifying content that is contained in a payload portion of the data packet; and
      
      after modifying the content, sending the data packet through the second TCP endpoint.
  - 10. A method as recited in claim 1, the method further comprising:
    - receiving a first data packet of the plurality of packets at the first TCP endpoint; and
      
      in response to receiving the first data packet, sending a TCP ACK packet through the first TCP endpoint.
  - 11. A method as recited in claim 10, the method further comprising:
    - receiving a second data packet of the plurality of packets at the first TCP endpoint;
      
      forming the message by appending contents of at least a payload portion of the second data packet to contents of at least a payload portion of the first data packet;
      
      determining whether any part of the message matches a specified pattern;
      
      if any part of the message matches the specified pattern, then dropping the first data packet and the second data packet so that neither the first data packet nor the second data packet is received by the second entity; and
      
      if no part of the message matches the specified pattern, then sending the first data packet and the second data packet through the second TCP endpoint.
  - 12. A method as recited in claim 1, the method further comprising:
    - receiving an original TCP SYN packet that indicates one or more proposed TCP parameters that the first entity proposes for use in the original TCP connection, wherein the original TCP SYN packet is destined for the second entity;
      
      altering the one or more proposed TCP parameters to produce an altered TCP SYN packet that indicates one or more altered TCP parameters; and
      
      sending the altered TCP packet, instead of the original TCP SYN packet, toward the second entity.

13. A computer-readable volatile or non-volatile medium storing one or more sequences of instructions for enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving, at the intermediary device, a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
  
  the intermediary device storing one or more of the TCP parameters in a connection block data structure, wherein the one or more TCP parameters include at least one of a) maximum segment size;
  
  b) window scale factor;
  
  c) a first flag that indicates whether time stamping will be used;
  
  or d) a second flag that indicates whether selective acknowledgement will be used;
  
  the intermediary device sending the TCP SYN/ACK packet toward the first entity;
  
  based on the one or more TCP parameters that are stored in the connection block data structure, the intermediary device creating a first TCP endpoint of a TCP connection to the first entity; and
  
  based on the one or more TCP parameters that are stored in the connection block data structure, the intermediary device creating a second TCP endpoint of a TCP connection to the second entity;
  
  using the intermediary device, creating a proxied TCP connection between the first entity and the second entity without negotiating TCP parameters with the first entity or the second entity, wherein the proxied TCP connection comprises the first TCP endpoint and the second TCP endpoint;
  
  in response to a data packet passing through the original connection, replacing the original connection with the proxied connection;
  
  the intermediary device accumulating a plurality of packets received via one of the first or second TCP endpoints, sending a corresponding TCP ACK packet for each of the plurality of packets on behalf of one of the first entity or second entity, and before forwarding the plurality of packets, assembling portions of the plurality of packets to form a message and inspecting the message;
  
  wherein the intermediary device comprises a computer system positioned between the two communicating entities.
- View Dependent Claims (15, 16, 17)
- - 15. The computer-readable volatile or non-volatile medium of claim 13, wherein the instructions, when executed by the one or more processors, cause the one or more processors to carry out the steps of:
    - receiving a data packet at the first TCP endpoint;
      
      modifying content that is contained in a payload portion of the data packet; and
      
      after modifying the content, sending the data packet through the second TCP endpoint.
  - 16. The computer-readable volatile or non-volatile medium of claim 13, wherein the instructions, when executed by the one or more processors, cause the one or more processors to carry out the steps of:
    - receiving a first data packet of the plurality of packets at the first TCP endpoint; and
      
      in response to receiving the first data packet, sending a TCP ACK packet through the first TCP endpoint;
      
      receiving a second data packet of the plurality of packets at the first TCP endpoint;
      
      forming the message by appending contents of at least a payload portion of the second data packet to contents of at least a payload portion of the first data packet;
      
      determining whether any part of the message matches a specified pattern;
      
      if any part of the message matches the specified pattern, then dropping the first data packet and the second data packet so that neither the first data packet nor the second data packet is received by the second entity; and
      
      if no part of the message matches the specified pattern, then sending the first data packet and the second data packet through the second TCP endpoint.
  - 17. The computer-readable volatile or non-volatile medium of claim 13, wherein the instructions, when executed by the one or more processors, cause the one or more processors to carry out the steps of:
    - receiving an original TCP SYN packet that indicates one or more proposed TCP parameters that the first entity proposes for use in the original TCP connection, wherein the original TCP SYN packet is destined for the second entity;
      
      altering the one or more proposed TCP parameters to produce an altered TCP SYN packet that indicates one or more altered TCP parameters; and
      
      sending the altered TCP packet, instead of the original TCP SYN packet, toward the second entity.

14. An apparatus positioned between two communicating entities that behaves as a proxy device relative to the two communicating entities after a connection already has been established between the two communicating entities, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving, at the apparatus, a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined;
  
  the apparatus storing one or more of the TCP parameters in a connection block data structure, wherein the one or more TCP parameters include at least one of a) maximum segment size;
  
  b) window scale factor;
  
  c) a first flag that indicates whether time stamping will be used;
  
  or d) a second flag that indicates whether selective acknowledgement will be used;
  
  the apparatus sending the TCP SYN/ACK packet toward the first entity;
  
  based on the one or more TCP parameters that are stored in the connection block data structure, the apparatus creating a first TCP endpoint of a first TCP connection to the first entity; and
  
  based on the one or more TCP parameters that are stored in the connection block data structure, the apparatus creating a second TCP endpoint of a second TCP connection to the second entity;
  
  using the apparatus, creating the proxied TCP connection between the first entity and the second entity without negotiating TCP parameters with the first entity or the second entity, wherein the proxied TCP connection comprises the first TCP endpoint and the second TCP endpoint;
  
  in response to a data packet passing through the original connection, replacing the original connection with the proxied connection;
  
  the apparatus accumulating a plurality of packets received via one of the first or second TCP endpoints, sending a corresponding TCP ACK packet for each of the plurality of packets on behalf of one of the first entity or second entity, and before forwarding the plurality of packets, assembling portions of the plurality of packets to form a message and inspecting the message.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 14, wherein the instructions, when executed by the processor, further cause the processor to carry out the steps of:
    - receiving a data packet at the first TCP endpoint;
      
      modifying content that is contained in a payload portion of the data packet; and
      
      after modifying the content, sending the data packet through the second TCP endpoint.
  - 19. The apparatus of claim 14, wherein the instructions, when executed by the processor, further cause the processor to carry out the steps of:
    - receiving a first data packet of the plurality of packets at the first TCP endpoint; and
      
      in response to receiving the first data packet, sending a TCP ACK packet through the first TCP endpoint;
      
      receiving a second data packet of the plurality of packets at the first TCP endpoint;
      
      forming the message by appending contents of at least a payload portion of the second data packet to contents of at least a payload portion of the first data packet;
      
      determining whether any part of the message matches a specified pattern;
      
      if any part of the message matches the specified pattern, then dropping the first data packet and the second data packet so that neither the first data packet nor the second data packet is received by the second entity; and
      
      if no part of the message matches the specified pattern, then sending the first data packet and the second data packet through the second TCP endpoint.
  - 20. The apparatus of claim 14, wherein the instructions, when executed by the processor, further cause the processor to carry out the steps of:
    - receiving an original TCP SYN packet that indicates one or more proposed TCP parameters that the first entity proposes for use in the original TCP connection, wherein the original TCP SYN packet is destined for the second entity;
      
      altering the one or more proposed TCP parameters to produce an altered TCP SYN packet that indicates one or more altered TCP parameters; and
      
      sending the altered TCP packet, instead of the original TCP SYN packet, toward the second entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kahol, Anurag, Majee, Sumandra, Waterman, Alex, Mathison, Paul
Primary Examiner(s)
GREENE, JOSEPH L

Application Number

US11/061,248
Publication Number

US 20060190612A1
Time in Patent Office

3,840 Days
Field of Search

709/228
US Class Current

1/1
CPC Class Codes

H04L 67/564   Enhancement of application ...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/24   Negotiation of communicatio...

Delayed network protocol proxy for packet inspection in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Delayed network protocol proxy for packet inspection in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others