Anti-replay mechanism for group virtual private networks
First Claim
1. A method comprising:
- receiving, with a first virtual private network (VPN) device from a second VPN device, a packet having an encryption header, wherein the first and the second VPN devices are members of a group VPN having a plurality of VPN devices, wherein the encryption header comprises an encapsulating security payload header having a sequence number field, wherein the sequence number field comprises thirty-two sequential bits and only includes a first portion that specifies a group VPN member identifier and a second portion that specifies a sequence number, wherein the first portion of the sequence number field comprises a first five bits of the sequence number field and immediately precedes the second portion of the sequence number field, wherein the second portion of the sequence number field comprises twenty-seven bits immediately following the first five bits of the sequence number field, and wherein the group VPN member identifier is associated with the second VPN device;
identifying a window of sequence numbers maintained by the first VPN device for the second VPN device based on the group VPN member identifier, wherein the window of sequence numbers defines a range of sequence numbers;
determining whether the specified sequence number of the header is included in the window of sequence numbers; and
responsive to determining that the specified sequence number of the header is included in the window of sequence numbers;
determining, with the first VPN device, whether the specified sequence number was previously received by the first VPN device;
when the specified sequence number was not previously received, accepting the packet and marking the specified sequence number as received; and
when the specified sequence number was previously received, dropping the packet.
1 Assignment
0 Petitions
Accused Products
Abstract
A virtual private network (VPN) device is described that provides a strict anti-replay mechanism for packets in a group VPN. An example first VPN device includes one or more processors, one or more network interfaces configured to receive a packet having an encryption header that includes a group VPN member identifier association with a second VPN device and a sequence number, wherein the first and second VPN devices are members of a group VPN, a data repository configured to store a window of sequence numbers maintained by the first VPN device for the second VPN device, and a VPN session management module operable by the one or more processors to identify the window of sequence numbers based on the group VPN member identifier, determine whether the sequence number of the header is included in the window of sequence numbers, and process the packet based on the determination.
44 Citations
17 Claims
-
1. A method comprising:
-
receiving, with a first virtual private network (VPN) device from a second VPN device, a packet having an encryption header, wherein the first and the second VPN devices are members of a group VPN having a plurality of VPN devices, wherein the encryption header comprises an encapsulating security payload header having a sequence number field, wherein the sequence number field comprises thirty-two sequential bits and only includes a first portion that specifies a group VPN member identifier and a second portion that specifies a sequence number, wherein the first portion of the sequence number field comprises a first five bits of the sequence number field and immediately precedes the second portion of the sequence number field, wherein the second portion of the sequence number field comprises twenty-seven bits immediately following the first five bits of the sequence number field, and wherein the group VPN member identifier is associated with the second VPN device; identifying a window of sequence numbers maintained by the first VPN device for the second VPN device based on the group VPN member identifier, wherein the window of sequence numbers defines a range of sequence numbers; determining whether the specified sequence number of the header is included in the window of sequence numbers; and responsive to determining that the specified sequence number of the header is included in the window of sequence numbers; determining, with the first VPN device, whether the specified sequence number was previously received by the first VPN device; when the specified sequence number was not previously received, accepting the packet and marking the specified sequence number as received; and when the specified sequence number was previously received, dropping the packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A first virtual private network (VPN) device comprising:
-
one or more processors; one or more network interfaces configured to receive a packet having an encryption header from a second VPN device, wherein the first and the second VPN devices are members of a group VPN having a plurality of VPN devices, wherein the encryption header comprises an encapsulating security payload header having a sequence number field, wherein the sequence number field comprises thirty-two sequential bits and only includes a first portion that specifies a group VPN member identifier and a second portion that specifies a sequence number, wherein the first portion of the sequence number field comprises a first five bits of the sequence number field and immediately precedes the second portion of the sequence number field, wherein the second portion of the sequence number field comprises twenty-seven bits immediately following the first five bits of the sequence number field, and wherein the group VPN member identifier is associated with the second VPN device; and a memory configured to store a data repository and a VPN session management module, wherein the data repository is configured to store a window of sequence numbers maintained by the first VPN device for the second VPN device, and wherein the VPN session management module is operable by the one or more processors to identify the window of sequence numbers based on the group VPN member identifier, wherein the window of sequence numbers defines a range of sequence numbers, determine whether the specified sequence number of the header is included in the window of sequence numbers, and, responsive to determining that the specified sequence number of the header is included in the window of sequence numbers;
determine whether the specified sequence number was previously received by the first VPN device, when the specified sequence number was not previously received, accepting the packet and marking the specified sequence number as received, and when the specified sequence number was previously received, drop the packet. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-readable storage medium encoded with instructions that, when executed, cause one or more programmable processors of a first virtual private network (VPN) device to:
-
receive a packet having an encryption header from a second VPN device, wherein the first and the second VPN devices are members of a group VPN having a plurality of VPN devices, wherein the encryption header comprises an security payload header having a sequence number field, wherein the sequence number field comprises thirty-two sequential bits and only includes a first portion that specifies a group VPN member identifier and a second portion that specifies a sequence number, wherein the first portion of the sequence number field comprises a first five bits of the sequence number field and immediately precedes the second portion of the sequence number field, wherein the second portion of the sequence number field comprises twenty-seven bits immediately following the first five bits of the sequence number field, and wherein the group VPN member identifier is associated with the second VPN device; identify a window of sequence numbers maintained by the first VPN device for the second VPN device based on the group VPN member identifier, wherein the window of sequence numbers defines a range of sequence numbers; determine whether the specified sequence number of the header is included in the window of sequence numbers; and responsive to determining that the specified sequence number of the header is included in the window of sequence numbers; determine whether the specified sequence number was previously received by the first VPN device; when the specified sequence number was not previously received, accept the packet and marking the specified sequence number as received; and when the specified sequence number was previously received, drop the packet.
-
Specification