Efficient intercept of connection-based transport layer connections

US 9,935,879 B2
Filed: 12/29/2012
Issued: 04/03/2018
Est. Priority Date: 12/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

(a) forwarding packets through a transparent proxy such that a single TCP (Transmission Control Protocol) connection is established between a client and server, wherein a single TCP control loop manages flow control between the client and the server across the single TCP connection in (a);

(b) after establishment of the single TCP connection in (a) communicating an amount of information across the single TCP connection through the transparent proxy, wherein the communication of the amount of information in (b) involves communication of the amount of information between the client and the transparent proxy, wherein a first TCP control loop manages flow control for the communication of the amount of information between the client and the transparent proxy, wherein the communication of the amount of information in (b) also involves communication of the amount of information between the transparent proxy and the server, and wherein a second TCP control loop manages flow control for the communication of the amount of information between the transparent proxy and the server;

(c) decrypting at least some of the amount of information communicated in (b);

(d) based at least in part on a result of the decrypting determining to connect the first TCP control loop and the second TCP control loop to form the single TCP control loop;

(e) connecting the first TCP control loop and the second TCP control loop to form the single TCP control loop and using the single TCP control loop to manage flow control across the single TCP connection; and

(f) after the connecting of (e) forwarding packets through the transparent proxy across the single TCP connection, wherein flow control across the single TCP connection in (f) is managed by the single TCP control loop.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A TCP connection is established between a client and a server, such that packets communicated across the TCP connection pass through a proxy. Based at least in part on a result of monitoring packets flowing across the TCP connection, the proxy determines whether to split the TCP control loop into two TCP control loops so that packets can be inspected more thoroughly. If the TCP control loop is split, then a first TCP control loop manages flow between the client the proxy and a second TCP control loop manages flow between the proxy and the server. Due to the two control loops, packets can be held on the proxy long enough to be analyzed. In some circumstances, a decision is then made to stop inspecting. The two TCP control loops are merged into a single TCP control loop, and thereafter the proxy passes packets of the TCP connection through unmodified.

Citations

26 Claims

1. A method comprising:
- (a) forwarding packets through a transparent proxy such that a single TCP (Transmission Control Protocol) connection is established between a client and server, wherein a single TCP control loop manages flow control between the client and the server across the single TCP connection in (a);
  
  (b) after establishment of the single TCP connection in (a) communicating an amount of information across the single TCP connection through the transparent proxy, wherein the communication of the amount of information in (b) involves communication of the amount of information between the client and the transparent proxy, wherein a first TCP control loop manages flow control for the communication of the amount of information between the client and the transparent proxy, wherein the communication of the amount of information in (b) also involves communication of the amount of information between the transparent proxy and the server, and wherein a second TCP control loop manages flow control for the communication of the amount of information between the transparent proxy and the server;
  
  (c) decrypting at least some of the amount of information communicated in (b);
  
  (d) based at least in part on a result of the decrypting determining to connect the first TCP control loop and the second TCP control loop to form the single TCP control loop;
  
  (e) connecting the first TCP control loop and the second TCP control loop to form the single TCP control loop and using the single TCP control loop to manage flow control across the single TCP connection; and
  
  (f) after the connecting of (e) forwarding packets through the transparent proxy across the single TCP connection, wherein flow control across the single TCP connection in (f) is managed by the single TCP control loop.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - monitoring packets passing through the transparent proxy across the single TCP connection;
      
      using information obtained during the monitoring to initialize a TCP Transmission Control Block (TCB) for the first TCP control loop; and
      
      using information obtained during the monitoring to initialize a TCP TCB for the second TCP control loop.
  - 3. The method of claim 1, further comprising:
    - detecting an SSL (Secure Sockets Layer) handshake signature after the forwarding of (a); and
      
      in response to the detecting of the SSL handshake signature splitting the single TCP control loop of (a) into the first and second TCP control loops of (b).
  - 4. The method of claim 3, wherein the SSL handshake signature is a signature of an SSL session, the method further comprising:
    - storing a policy on the transparent proxy;
      
      receiving a certificate onto the transparent proxy across the TCP connection;
      
      applying the policy to the certificate; and
      
      based at least in part on a result of the applying determining to intercept the SSL session.
  - 5. The method of claim 3, further comprising:
    - storing a policy on the transparent proxy;
      
      receiving a certificate onto the transparent proxy across the TCP connection;
      
      applying the policy to the certificate; and
      
      based at least in part on a result of the applying determining to connect the first TCP control loop and the second TCP control loop to form a single TCP control loop.

6. A method comprising:
- communicating information through a transparent proxy across a single TCP (Transmission Control Protocol) connection, wherein the single TCP connection is between a client and a server, wherein flow control for communication across the TCP connection between the client and the transparent proxy is managed by a first TCP control loop, wherein flow control for communication across the TCP connection between the transparent proxy and the server is managed by a second TCP control loop, wherein at least some of the information communicated via the single TCP connection is decrypted, wherein based at least in part on a result of the decryption a determination is made to connect the first TCP control loop and the second TCP control loop; and
  
  combining the first TCP control loop and the second TCP control loop to form a single TCP control loop, wherein packets are forwarded through the transparent proxy across the single TCP connection, and wherein the single TCP connection is managed by the single TCP control loop.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6, further comprising:
    - maintaining a first TCP Transmission Control Block (TCB) on the transparent proxy for the first TCP control loop; and
      
      maintaining a second TCP Transmission Control Block (TCB) on the transparent proxy for the second TCP control loop.
  - 8. The method of claim 6, wherein the information is communicated as payloads of packets, wherein the single TCP connection involves two flows, wherein all packets of a first of the flows have the same TCP source port, the same TCP destination port, and same IP (Internet Protocol) source address and the same IP destination address, and wherein all packets of a second of the flows have the same TCP source port, the same TCP destination port, and same IP source address and the same IP destination address.
  - 9. The method of claim 6, wherein the transparent proxy does not terminate the single TCP connection.
  - 10. The method of claim 6, further comprising:
    - communicating packets through the transparent proxy such that the client and the server establish the single TCP connection.
  - 11. The method of claim 6, wherein the combining is performed without terminating the single TCP connection, and wherein the single TCP control loop after being formed manages flow control between the client and the server.

12. A method comprising:
- (a) maintaining a first TCP (Transmission Control Protocol) Transmission Control Block (TCB) on a second network device;
  
  (b) using the first TCP TCB to manage flow control across a first portion of a single TCP connection between a first network device and the second network device;
  
  (c) maintaining a second TCP TCB on the second network device;
  
  (d) using the second TCP TCB to manage flow control across a second portion of the single TCP connection between the second network device and a third network device, wherein the single TCP connection is between the first network device and the third network device;
  
  (e) decrypting at least some information communicated via the single TCP connection;
  
  (f) based at least in part on a result of the decrypting of (e) determining to combine the flow control across the first portion of the single TCP connection with the flow control across the second portion of the single TCP connection to form a single TCP flow control; and
  
  (g) combining the flow control across the first portion of the single TCP connection with the flow control across the second portion of the single TCP connection to form the single TCP flow control, wherein packets are forwarded through the second network device across the single TCP connection, wherein the single TCP connection is managed by the single TCP flow control, wherein (a) through (d) and (g) are performed by the second network device.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein the first TCP TCB is used in (b) by a first TCP control loop that manages the flow control across the first portion of the TCP connection, and wherein the second TCP TCB is used in (d) by a second TCP control loop that manages the flow control across the second portion of the TCP connection.
  - 14. The method of claim 12, further comprising:
    - (h) monitoring information passing across the TCP connection; and
      
      (l) initializing the first TCP TCB and the second TCP TCB based at least in part on a result of (h), wherein (h) and (i) are performed by the second network device, and wherein (h) and (i) occur before any one of (a) through (d).
  - 15. The method of claim 12, further comprising:
    - (h) after a period of time of using the first and second TCP TCBs to manage flow control across the first and second portions of the TCP connection communicating packets of the TCP connection through the second network device without using the first and second TCP TCBs to manage flow control across the TCP connection such that a majority of flow control for the TCP connection is managed by the first and third network devices, wherein the majority of the packets are not modified.

16. A network device comprising:
- a memory for storing a first TCP (Transmission Control Protocol) Transmission Control Block (TCB) and a second TCP TCB, wherein the first TCP TCB and the second TCP TCB are TCBs; and
  
  a first means for using the first TCP TCB to manage flow control across a first portion of a single TCP connection and for using the second TCP TCB to manage flow control across a second portion of the single TCP connection; and
  
  a second means, wherein at least some information communicated via the single TCP connection is decrypted, wherein a decision is made to combine the flow control across the first portion of the single TCP connection and the flow control across the second portion of the TCP connection based at least in part on a result of the decryption, wherein the second means is also for combining the flow control across the first portion of the single TCP connection and the flow control across the second portion of the single TCP connection to form the single TCP flow control, wherein packets are forwarded through the second means across the single TCP connection, wherein the single TCP connection is managed by the single TCP flow control.
- View Dependent Claims (17, 18, 19)
- - 17. The network device of claim 16, wherein the single TCP connection involves a pair of flows of packets, wherein the packets flow between a client device and a server device, wherein all packets of the pair of flows pass through the network device, wherein the network device is not the client device, and wherein the network device is not the server device.
  - 18. The network device of claim 16, wherein flow control across the first portion of the single TCP connection is managed by a first TCP control loop, wherein flow control across the second portion of the single TCP connection is managed by a second TCP control loop, and wherein the second means is also for connecting the first and second TCP control loops to form a single TCP control loop that manages flow control across the single TCP connection.
  - 19. The network device of claim 16, wherein the single TCP connection is between a client device and a server device, and wherein the second means is also for allowing packets to be forwarded through the network device such that the single TCP connection is established by the client device and by the server device.

20. A network device, comprising:
- a memory; and
  
  means for;
  
  (a) decrypting first information passing across a TCP (Transmission Control Protocol) connection, wherein the first information is communicated via the TCP connection through the network device;
  
  (b) as a result of the decrypting of (a) making a determination that the first information has a first characteristic;
  
  (c) in response to the making of the determination in (b) splitting a single TCP control loop that manages flow across the TCP connection into two TCP control loops, wherein after the splitting the memory stores two TCP Transmission Control Blocks (TCBs) for the TCP connection;
  
  (d) after the splitting of (c) monitoring second information communicated via the TCP connection and making a determination that the second information does not have a second characteristic;
  
  (e) in response to the making of the determination in (d) connecting the two TCP control loops into a single TCP control loop such that the single TCP control loop manages flow across the TCP connection, wherein packets are forwarded through the network device across the single TCP connection, wherein flow control across the TCP connection is managed by the single TCP control loop, and wherein an acknowledgement signal received by the single TCP control loop is transmitted by the single TCP control loop; and
  
  (f) after the connecting of (e) communicating third information through the network device via the TCP connection, wherein at no time from the monitoring of (a) to the communicating of (f) is the TCP connection terminated on the network device, and wherein all of the first information, the second information, and the third information is at least received onto the network device via the TCP connection.
- View Dependent Claims (21, 22)
- - 21. The network device of claim 20, wherein the determination in (b) that that first information has a first characteristic is a determination that the first information exhibits an SSL (Secure Sockets Layer) signature.
  - 22. The network device of claim 21, wherein the determination in (d) that the second information does not have the second characteristic is a determination that the TCP connection is not carrying packets of an SSL session that has certain characteristics.

23. A method comprising:
- (a) operating a network device such that information is communicated across a TCP (Transmission Control Protocol) connection and through the network device, wherein the TCP connection is not terminated on the network device, and wherein flow across the TCP connection is managed by a single TCP control loop, wherein packets are forwarded through the network device across the single TCP connection, wherein flow control across the TCP connection is managed by the single TCP control loop and wherein an acknowledgement signal received by the single TCP control loop is transmitted by the single TCP control loop;
  
  (b) after the operating of (a) splitting the single TCP control loop into a first TCP control loop and a second TCP control loop, wherein after the splitting the network device maintains a first TCP Transmission Control Blocks (TCB) for the first TCP control loop, and wherein after the splitting the network device maintains a second TCP TCB for the second TCP control loop;
  
  (c) after the splitting of (b) decrypting information passing via the TCP connection into the network device; and
  
  (d) based at least in part on a result of the decrypting of (c) making a determination to take a particular action, wherein (a) through (d) are performed by the network device, and wherein at no time between the operating of (a) and the making of the determination of (d) is the TCP connection terminated on the network device.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23, wherein the decrypting of (c) involves decrypting at least some of the information passing via the TCP connection into the network device.
  - 25. The method of claim 23, wherein the decrypting of (c) involves:
    - 1) combining the payloads of a plurality of packets and thereby forming an SSL record,
      
      2) decrypting the SSL record, and
      
      3) analyzing a result of the decrypting.
  - 26. The method of claim 23, wherein the particular action in (d) involves:
    - 1) forwarding at least some of the information from the network device in the form of packets to a recording device, and
      
      2) communicating the information via the TCP connection out of the network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netronome Systems Incorporated
Original Assignee
Netronome Systems Incorporated
Inventors
du Toit, Roelof Nico, Fourie, Jacques, Djalaliev, Peter Liudmilov
Primary Examiner(s)
Parry, Chris
Assistant Examiner(s)
STILTNER, WEIWEI YE

Application Number

US13/730,985
Publication Number

US 20140189093A1
Time in Patent Office

1,921 Days
Field of Search

709224
US Class Current
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 63/0281   Proxies

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 69/163   In-band adaptation of TCP d...

H04L 9/40   Network security protocols

Efficient intercept of connection-based transport layer connections

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient intercept of connection-based transport layer connections

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links