Simplifying IKE process in a gateway to enable datapath scaling using a two tier cache configuration
First Claim
1. A method of communicating through a virtual private network (VPN) tunnel between a first application (app) on a device and a Virtual Private Network (VPN) gateway having an Internet Key Exchange (IKE) which performs cryptographic operations on data packets comprising:
- transmitting from the gateway a first range of ports to the first app, wherein the first app uses a port in the first port range as a source port for data transmission from the first app to the VPN gateway, wherein the first port range comprises a plurality of ports not included in a second port range transmitted to a second app having a same internally unique IP address as the first app;
receiving, at the VPN gateway, data packets from the first app; and
determining, at the VPN gateway, that the data transmission originated from the first app based on the source port;
searching a local cache in an IPSec component of a datapath for security associations for the data packet;
searching a security policy and security association cache for security associations for the data packet; and
performing cryptographic operations on the data packet using the security associations outside of the IKE process in the gateway.
3 Assignments
0 Petitions
Accused Products
Abstract
Computational complexity, specifically, cryptographic operations, is removed from the IKE(Internet Key Exchange) process in a VPN gateway appliance, thereby enabling scaling of the number of datapaths that can be managed by a single IKE process. A two-tier cache configuration enables necessary cryptographic operations on packets in the gateway but does so without placing additional computational burdens on the IKE process. One cache containing security association data is local to the IPSec component of the datapath instance. The second cache is higher level and is populated by IKE with security association data upon completion of IKE Phase 2 negotiations. The local cache is searched first for security policy data and if found is used to encrypt/decrypt the data packet. If not found locally, the IKE centralized cache is searched and if found, the local cache is updated with the security association data.
-
Citations
9 Claims
-
1. A method of communicating through a virtual private network (VPN) tunnel between a first application (app) on a device and a Virtual Private Network (VPN) gateway having an Internet Key Exchange (IKE) which performs cryptographic operations on data packets comprising:
-
transmitting from the gateway a first range of ports to the first app, wherein the first app uses a port in the first port range as a source port for data transmission from the first app to the VPN gateway, wherein the first port range comprises a plurality of ports not included in a second port range transmitted to a second app having a same internally unique IP address as the first app; receiving, at the VPN gateway, data packets from the first app; and determining, at the VPN gateway, that the data transmission originated from the first app based on the source port; searching a local cache in an IPSec component of a datapath for security associations for the data packet; searching a security policy and security association cache for security associations for the data packet; and performing cryptographic operations on the data packet using the security associations outside of the IKE process in the gateway. - View Dependent Claims (2, 3, 4, 5, 6, 8, 9)
-
-
7. A method as recited in claim l further comprising routing the data packet to a datapath in the gateway.
Specification
-
- Resources
-
Current AssigneeBlue Cedar Networks, Inc.
-
Original AssigneeBlue Cedar Networks, Inc.
-
InventorsWante, Kenneth J.
-
Primary Examiner(s)Zand, Kambiz
-
Assistant Examiner(s)Zoubair, Noura
-
Application NumberUS14/592,711Publication NumberTime in Patent Office649 DaysField of Search713/171, 713/189, 713/192, 370/469US Class Current1/1CPC Class CodesG06F 21/6245 Protecting personal data, e...G06F 2221/2111 Location-sensitive, e.g. ge...H04L 2209/24 Key scheduling, i.e. genera...H04L 61/2517 using port numbersH04L 61/2528 Translation at a proxyH04L 61/2592 using tunnelling or encapsu...H04L 61/5007 Internet protocol [IP] addr...H04L 61/5061 Pools of addressesH04L 63/0272 Virtual private networksH04L 63/164 at the network layerH04L 9/0819 Key transport or distributi...H04L 9/14 using a plurality of keys o...H04W 12/02 Protecting privacy or anony...H04W 12/033 of the user plane, e.g. use...H04W 12/35 Protecting application or s...H04W 12/37 Managing security policies ...H04W 76/12 Setup of transport tunnels
