Facilitating secure network traffic by an application delivery controller

US 10,038,693 B2
Filed: 05/02/2014
Issued: 07/31/2018
Est. Priority Date: 05/03/2013
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating a secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:

receiving, by the network device, a data packet with information from a client indicating that the client is a trusted source;

determining, by the network device, network capabilities of a server, the network capabilities including at least network parameters that the server is capable to serve;

correlating, by the network device, the network capabilities of the server with the information present in the data packet, the correlating including;

computing, by the network device, the information present in the data packet to obtain one or more network parameter values associated with the client; and

looking up, by the network device, the one or more network parameter values in an index table to select, from a plurality of combinations of network parameters that the server is capable of serving, a combination of network parameters that the server is capable to serve and that corresponds to the one or more network parameter values, the index table storing a plurality of network parameter values corresponding to the plurality of combinations of network parameters that the server is capable to serve; and

applying, by the network device, a tunneling protocol to transfer, by the network device, the combination of network parameters to the server, the applying the tunneling protocol including;

creating, by the network device, a modified data packet and placing the data packet and a transmission control protocol (TCP) options header into the modified data packet, the TCP options header comprising information including at least a sequence number for a protocol connection, wherein the information present in the TCP options header includes the combination of network parameters selected from the index table to match the network parameters that the server is capable to serve; and

forwarding, by the network device, the modified data packet to the server, wherein the server extracts, from the modified data packet, the data packet and the combination of network parameters and processes the data packet based on the combination of network parameters that the server is capable of serving.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Facilitation of secure network traffic by an application delivery controller is provided herein. In some examples, a method includes: (a) receiving a data packet with information from a client indicating that the client is a trusted source; (b) embedding in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection; and (c) forwarding the embedded data packet to a server.

540 Citations

20 Claims

1. A method for facilitating a secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:
- receiving, by the network device, a data packet with information from a client indicating that the client is a trusted source;
  
  determining, by the network device, network capabilities of a server, the network capabilities including at least network parameters that the server is capable to serve;
  
  correlating, by the network device, the network capabilities of the server with the information present in the data packet, the correlating including;
  
  computing, by the network device, the information present in the data packet to obtain one or more network parameter values associated with the client; and
  
  looking up, by the network device, the one or more network parameter values in an index table to select, from a plurality of combinations of network parameters that the server is capable of serving, a combination of network parameters that the server is capable to serve and that corresponds to the one or more network parameter values, the index table storing a plurality of network parameter values corresponding to the plurality of combinations of network parameters that the server is capable to serve; and
  
  applying, by the network device, a tunneling protocol to transfer, by the network device, the combination of network parameters to the server, the applying the tunneling protocol including;
  
  creating, by the network device, a modified data packet and placing the data packet and a transmission control protocol (TCP) options header into the modified data packet, the TCP options header comprising information including at least a sequence number for a protocol connection, wherein the information present in the TCP options header includes the combination of network parameters selected from the index table to match the network parameters that the server is capable to serve; and
  
  forwarding, by the network device, the modified data packet to the server, wherein the server extracts, from the modified data packet, the data packet and the combination of network parameters and processes the data packet based on the combination of network parameters that the server is capable of serving.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the data packet received from the client comprises a SYN-cookie received from the network device, wherein the SYN-cookie comprises a sequence number for the network device and an acknowledgement (ACK) that includes a sequence number of the client.
  - 3. The method of claim 2, wherein the network device does not retain information from the data packet until the ACK has been received from the client and a network connection has been established between the server and the client.
  - 4. The method of claim 3, wherein Internet Protocol (IP) connection information is embedded into the ACK, the ACK being forwarded to the server.
  - 5. The method of claim 3, wherein the network device does not retain the TCP options when the network device is operating in a stateless mode.
  - 6. The method of claim 1, wherein the TCP options comprise a maximum segment size, a window scale, and a selective acknowledgement message, wherein the selective acknowledgement message is used for selective retransmission of individual data packets that were not received by the server.
  - 7. The method of claim 1, wherein TCP options are included in the data packet received from the client.
  - 8. The method of claim 1, further comprising authenticating the client by the network device.
  - 9. The method of claim 8, further comprising embedding or stamping any of a server sequence number, a client maximum segment size, a client timestamp, or any other information required for the server to process the embedded data packet, or any combinations thereof.
  - 10. The method of claim 1, wherein the TCP options are embodied in a single message having a predetermined length of bits, wherein the length of bits is separated into segments, each of the segments comprising bits representing one of the TCP options.

11. A method for facilitating secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:
- receiving, at the network device, a data packet with information from a client indicating that the client is a trusted source;
  
  determining, by the network device, network capabilities of a server, the network capabilities including at least network parameters that the server is capable to serve;
  
  correlating, by the network device, the network capabilities of the server with the information present in the data packet, the correlating including;
  
  computing, by the network device, the information present in the data packet to obtain one or more network parameter values associated with the client; and
  
  looking up, by the network device, the one or more network parameter values in an index table to select, from a plurality of combinations of network parameters that the server is capable of serving, a combination of network parameters that the server is capable to serve and that corresponds to the one or more network parameter values, the index table storing the plurality of network parameter values corresponding to a plurality of combinations of network parameters that the server is capable to serve; and
  
  applying, by the network device, a tunneling protocol to transfer, by the network device, the combination of network parameters to the server, the applying the tunneling protocol including;
  
  creating, by the network device, a modified data packet and placing, into the modified data packet, the data packet and an Internet protocol (IP) header of the modified data packet with an encoded value from the index table, the encoded value from the index table representing the combination of network parameters selected from the index table to match the network parameters that the server is capable to serve; and
  
  forwarding, by the network device, the data packet with the modified IP header to the server, wherein the server extracts, from the data packet with the modified IP header, the combination of network parameters and processes the data packet based on the combination of network parameters that the server is capable of serving.
- View Dependent Claims (12)
- - 12. The method of claim 11, further comprising:
    - authenticating the client, wherein the computing the information present in the data packet includes computing parameters included in a SYN packet received from the client; and
      
      encoding the combination of network parameters into an IP identification field of the IP header of the data packet.

13. A method for facilitating a secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:
- receiving, by the network device, a data packet with information from a client indicating that the client is a trusted source;
  
  determining, by the network device, network capabilities of a server, the network capabilities including at least network parameters that the server is capable to serve;
  
  correlating, by the network device, the network capabilities of the server with the information present in the data packet, the correlating including;
  
  computing, by the network device, the information present in the data packet to obtain one or more network parameter values associated with the client; and
  
  looking up, by the network device, the one or more network parameter values in an index table to select, from a plurality of combinations of network parameters that the server is capable of serving, a combination of network parameters that the server is capable to serve and that corresponds to the one or more network parameter values, the index table storing the plurality of network parameter values corresponding to a plurality of combinations of network parameters that the server is capable to serve;
  
  receiving, by the network device, data packets of a data flow from the client, the data flow being associated with transfer parameters;
  
  communicating, by the network device, in a first channel established between the network device and the server, the transfer parameters associated with the data flow and connection parameters associated with a SYN packet received from the client, the connection parameters comprising the combination of network parameters that the server is capable to serve for data transfer over the secure network, wherein the transfer parameters and the connection parameters are communicated by the network device to the server using a tunneling protocol by;
  
  creating, by the network device, a modified data packet and placing the data packet, the transfer parameters, and the connection parameters into a TCP options header or an IP header of the modified data packet, andforwarding, by the network device, the modified data packet to the server, wherein the server extracts, from the modified data packet, the data packet and the connection parameters and processes the data packet based on the combination of network parameters that the server is capable to serve; and
  
  forwarding, by the network device, in a second channel established between the network device and the server, the data packets of the data flow from the client.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the combination of network parameters comprises at least one of sequence numbers, timestamp, and window size.

15. An application delivery controller, comprising:
- a processor; and
  
  a memory for storing executable instructions, the processor being configured to execute the instructions to;
  
  receive a data packet with information from a client indicating that the client is a trusted source;
  
  determine network capabilities of a server, the network capabilities including at least network parameters that the server is capable to serve;
  
  correlate the network capabilities of the server with the information present in the data packet, the correlating including;
  
  computing the information present in the data packet to obtain one or more network parameter values associated with the client; and
  
  looking up the one or more network parameter values in an index table to select, from a plurality of combinations of network parameters that the server is capable of serving, a combination of network parameters that the server is capable to serve and that corresponds to the one or more network parameter values, the index table storing the plurality of network parameter values corresponding to a plurality of combinations of network parameters that the server is capable to serve;
  
  apply a tunneling protocol to transfer the combination of network parameters to the server, the applying the tunneling protocol including either;
  
  (1) creating a first modified data packet and placing the data packet and a transmission control protocol (TCP) options header into the first modified data packet, the TCP options header comprising parameters for a protocol connection, the parameters including the combination of network parameters selected from the index table to match the network parameters that the server is capable to serve, or(2) creating a second modified data packet and placing, into the second modified data packet, the data packet and an Internet protocol (IP) header of the modified data packet with an encoded value from an index table, the encoded value representing the combination of network parameters selected from the index table to match the network parameters that the server is capable to serve; and
  
  forward the first modified data packet or the second modified data packet to the server, wherein the server extracts, from the first modified data packet or the second modified data packet, the data packet and the combination of network parameters and processes the data packet based on the combination of network parameters vu is capable of serving.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The application delivery controller of claim 15, wherein the application delivery controller comprises a module that is configured to place an acknowledgement (ACK) packet in the IP header of the data packet.
  - 17. The application delivery controller of claim 16, wherein the tunneling protocol is associated with IP tunneling used by the application delivery controller to transfer the second modified data packet to the server.
  - 18. The application delivery controller of claim 17, wherein the parameters included in the TCP options header are placed into a tunnel header.
  - 19. The application delivery controller of claim 15, wherein the application delivery controller is configured to determine TCP options that the server is capable of providing.
  - 20. The application delivery controller of claim 19, wherein the application delivery controller is configured to adjust the parameters in the TCP options header with the TCP options that the server is capable of providing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Jalan, Rajkumar, Kamat, Gurudeep
Primary Examiner(s)
Book, Phyllis A

Application Number

US14/268,914
Publication Number

US 20140330982A1
Time in Patent Office

1,551 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0892   by using authentication-aut...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

Facilitating secure network traffic by an application delivery controller

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

540 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating secure network traffic by an application delivery controller

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

540 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links