Simplifying IKE process in a gateway to enable datapath scaling using a two tier cache configuration
First Claim
1. A method of communicating through a virtual private network (VPN) tunnel between a first application (app) on a device and a Virtual Private Network (VPN) gateway having an Internet Key Exchange (IKE) which performs cryptographic operations on data packets comprising:
- transmitting from the gateway a first range of ports to the first app, wherein the first app uses a port in the first port range as a source port for data transmission from the first app to the VPN gateway, wherein the first port range comprises a plurality of ports not included in a second port range transmitted to a second app having a same internally unique IP address as the first app;
receiving, at the VPN gateway, data packets from the first app; and
determining, at the VPN gateway, that the data transmission originated from the first app based on the source port;
searching a local cache in an IPSec component of a datapath for security associations for the data packet;
searching a security policy and security association cache for security associations for the data packet; and
performing cryptographic operations on the data packet using the security associations outside of the IKE process in the gateway.
3 Assignments
0 Petitions
Accused Products
Abstract
Computational complexity, specifically, cryptographic operations, is removed from the IKE(Internet Key Exchange) process in a VPN gateway appliance, thereby enabling scaling of the number of datapaths that can be managed by a single IKE process. A two-tier cache configuration enables necessary cryptographic operations on packets in the gateway but does so without placing additional computational burdens on the IKE process. One cache containing security association data is local to the IPSec component of the datapath instance. The second cache is higher level and is populated by IKE with security association data upon completion of IKE Phase 2 negotiations. The local cache is searched first for security policy data and if found is used to encrypt/decrypt the data packet. If not found locally, the IKE centralized cache is searched and if found, the local cache is updated with the security association data.
-
Citations
9 Claims
-
1. A method of communicating through a virtual private network (VPN) tunnel between a first application (app) on a device and a Virtual Private Network (VPN) gateway having an Internet Key Exchange (IKE) which performs cryptographic operations on data packets comprising:
-
transmitting from the gateway a first range of ports to the first app, wherein the first app uses a port in the first port range as a source port for data transmission from the first app to the VPN gateway, wherein the first port range comprises a plurality of ports not included in a second port range transmitted to a second app having a same internally unique IP address as the first app; receiving, at the VPN gateway, data packets from the first app; and determining, at the VPN gateway, that the data transmission originated from the first app based on the source port; searching a local cache in an IPSec component of a datapath for security associations for the data packet; searching a security policy and security association cache for security associations for the data packet; and performing cryptographic operations on the data packet using the security associations outside of the IKE process in the gateway. - View Dependent Claims (2, 3, 4, 5, 6, 8, 9)
-
-
7. A method as recited in claim l further comprising routing the data packet to a datapath in the gateway.
Specification