Efficient intercept of connection-based transport layer connections
First Claim
1. A method comprising:
- (a) forwarding packets through a transparent proxy such that a single TCP (Transmission Control Protocol) connection is established between a client and server, wherein a single TCP control loop manages flow control between the client and the server across the single TCP connection in (a);
(b) after establishment of the single TCP connection in (a) communicating an amount of information across the single TCP connection through the transparent proxy, wherein the communication of the amount of information in (b) involves communication of the amount of information between the client and the transparent proxy, wherein a first TCP control loop manages flow control for the communication of the amount of information between the client and the transparent proxy, wherein the communication of the amount of information in (b) also involves communication of the amount of information between the transparent proxy and the server, and wherein a second TCP control loop manages flow control for the communication of the amount of information between the transparent proxy and the server;
(c) decrypting at least some of the amount of information communicated in (b);
(d) based at least in part on a result of the decrypting determining to connect the first TCP control loop and the second TCP control loop to form the single TCP control loop;
(e) connecting the first TCP control loop and the second TCP control loop to form the single TCP control loop and using the single TCP control loop to manage flow control across the single TCP connection; and
(f) after the connecting of (e) forwarding packets through the transparent proxy across the single TCP connection, wherein flow control across the single TCP connection in (f) is managed by the single TCP control loop.
3 Assignments
0 Petitions
Accused Products
Abstract
A TCP connection is established between a client and a server, such that packets communicated across the TCP connection pass through a proxy. Based at least in part on a result of monitoring packets flowing across the TCP connection, the proxy determines whether to split the TCP control loop into two TCP control loops so that packets can be inspected more thoroughly. If the TCP control loop is split, then a first TCP control loop manages flow between the client the proxy and a second TCP control loop manages flow between the proxy and the server. Due to the two control loops, packets can be held on the proxy long enough to be analyzed. In some circumstances, a decision is then made to stop inspecting. The two TCP control loops are merged into a single TCP control loop, and thereafter the proxy passes packets of the TCP connection through unmodified.
-
Citations
26 Claims
-
1. A method comprising:
-
(a) forwarding packets through a transparent proxy such that a single TCP (Transmission Control Protocol) connection is established between a client and server, wherein a single TCP control loop manages flow control between the client and the server across the single TCP connection in (a); (b) after establishment of the single TCP connection in (a) communicating an amount of information across the single TCP connection through the transparent proxy, wherein the communication of the amount of information in (b) involves communication of the amount of information between the client and the transparent proxy, wherein a first TCP control loop manages flow control for the communication of the amount of information between the client and the transparent proxy, wherein the communication of the amount of information in (b) also involves communication of the amount of information between the transparent proxy and the server, and wherein a second TCP control loop manages flow control for the communication of the amount of information between the transparent proxy and the server; (c) decrypting at least some of the amount of information communicated in (b); (d) based at least in part on a result of the decrypting determining to connect the first TCP control loop and the second TCP control loop to form the single TCP control loop; (e) connecting the first TCP control loop and the second TCP control loop to form the single TCP control loop and using the single TCP control loop to manage flow control across the single TCP connection; and (f) after the connecting of (e) forwarding packets through the transparent proxy across the single TCP connection, wherein flow control across the single TCP connection in (f) is managed by the single TCP control loop. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
communicating information through a transparent proxy across a single TCP (Transmission Control Protocol) connection, wherein the single TCP connection is between a client and a server, wherein flow control for communication across the TCP connection between the client and the transparent proxy is managed by a first TCP control loop, wherein flow control for communication across the TCP connection between the transparent proxy and the server is managed by a second TCP control loop, wherein at least some of the information communicated via the single TCP connection is decrypted, wherein based at least in part on a result of the decryption a determination is made to connect the first TCP control loop and the second TCP control loop; and combining the first TCP control loop and the second TCP control loop to form a single TCP control loop, wherein packets are forwarded through the transparent proxy across the single TCP connection, and wherein the single TCP connection is managed by the single TCP control loop. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
(a) maintaining a first TCP (Transmission Control Protocol) Transmission Control Block (TCB) on a second network device; (b) using the first TCP TCB to manage flow control across a first portion of a single TCP connection between a first network device and the second network device; (c) maintaining a second TCP TCB on the second network device; (d) using the second TCP TCB to manage flow control across a second portion of the single TCP connection between the second network device and a third network device, wherein the single TCP connection is between the first network device and the third network device; (e) decrypting at least some information communicated via the single TCP connection; (f) based at least in part on a result of the decrypting of (e) determining to combine the flow control across the first portion of the single TCP connection with the flow control across the second portion of the single TCP connection to form a single TCP flow control; and (g) combining the flow control across the first portion of the single TCP connection with the flow control across the second portion of the single TCP connection to form the single TCP flow control, wherein packets are forwarded through the second network device across the single TCP connection, wherein the single TCP connection is managed by the single TCP flow control, wherein (a) through (d) and (g) are performed by the second network device. - View Dependent Claims (13, 14, 15)
-
-
16. A network device comprising:
-
a memory for storing a first TCP (Transmission Control Protocol) Transmission Control Block (TCB) and a second TCP TCB, wherein the first TCP TCB and the second TCP TCB are TCBs; and a first means for using the first TCP TCB to manage flow control across a first portion of a single TCP connection and for using the second TCP TCB to manage flow control across a second portion of the single TCP connection; and a second means, wherein at least some information communicated via the single TCP connection is decrypted, wherein a decision is made to combine the flow control across the first portion of the single TCP connection and the flow control across the second portion of the TCP connection based at least in part on a result of the decryption, wherein the second means is also for combining the flow control across the first portion of the single TCP connection and the flow control across the second portion of the single TCP connection to form the single TCP flow control, wherein packets are forwarded through the second means across the single TCP connection, wherein the single TCP connection is managed by the single TCP flow control. - View Dependent Claims (17, 18, 19)
-
-
20. A network device, comprising:
-
a memory; and means for; (a) decrypting first information passing across a TCP (Transmission Control Protocol) connection, wherein the first information is communicated via the TCP connection through the network device; (b) as a result of the decrypting of (a) making a determination that the first information has a first characteristic; (c) in response to the making of the determination in (b) splitting a single TCP control loop that manages flow across the TCP connection into two TCP control loops, wherein after the splitting the memory stores two TCP Transmission Control Blocks (TCBs) for the TCP connection; (d) after the splitting of (c) monitoring second information communicated via the TCP connection and making a determination that the second information does not have a second characteristic; (e) in response to the making of the determination in (d) connecting the two TCP control loops into a single TCP control loop such that the single TCP control loop manages flow across the TCP connection, wherein packets are forwarded through the network device across the single TCP connection, wherein flow control across the TCP connection is managed by the single TCP control loop, and wherein an acknowledgement signal received by the single TCP control loop is transmitted by the single TCP control loop; and (f) after the connecting of (e) communicating third information through the network device via the TCP connection, wherein at no time from the monitoring of (a) to the communicating of (f) is the TCP connection terminated on the network device, and wherein all of the first information, the second information, and the third information is at least received onto the network device via the TCP connection. - View Dependent Claims (21, 22)
-
-
23. A method comprising:
-
(a) operating a network device such that information is communicated across a TCP (Transmission Control Protocol) connection and through the network device, wherein the TCP connection is not terminated on the network device, and wherein flow across the TCP connection is managed by a single TCP control loop, wherein packets are forwarded through the network device across the single TCP connection, wherein flow control across the TCP connection is managed by the single TCP control loop and wherein an acknowledgement signal received by the single TCP control loop is transmitted by the single TCP control loop; (b) after the operating of (a) splitting the single TCP control loop into a first TCP control loop and a second TCP control loop, wherein after the splitting the network device maintains a first TCP Transmission Control Blocks (TCB) for the first TCP control loop, and wherein after the splitting the network device maintains a second TCP TCB for the second TCP control loop; (c) after the splitting of (b) decrypting information passing via the TCP connection into the network device; and (d) based at least in part on a result of the decrypting of (c) making a determination to take a particular action, wherein (a) through (d) are performed by the network device, and wherein at no time between the operating of (a) and the making of the determination of (d) is the TCP connection terminated on the network device. - View Dependent Claims (24, 25, 26)
-
Specification