Efficient use of IPsec tunnels in multi-path environment

US 10,051,000 B2
Filed: 07/28/2015
Issued: 08/14/2018
Est. Priority Date: 07/28/2015
Status: Active Grant

First Claim

Patent Images

1. A system for securing network traffic over multiple connections, the system comprising:

a classifier executable on an appliance comprising circuitry and configured to associate a first set of metadata with a datagram based on attributes of the datagram, wherein the first set of metadata includes a priority of the datagram and at least one of a source IP address of the datagram or a destination IP address of the datagram;

an IPsec encoder executable on the appliance and configured to obtain the datagram and to encode the datagram, wherein the IPsec encoder includes an IPsec security association for a plurality of connections between the appliance and a computing entity;

a packet analyzer executable on the appliance and configured to analyze the encoded datagram and the first set of metadata and to associate, responsive to the analysis, a second set of metadata with the encoded datagram, wherein the second set of metadata includes information for routing the encoded datagram; and

a gateway configured to;

select a connection from the plurality of connections according to the second set of metadata associated with the encoded datagram and the priority of the datagram;

transmit the encoded datagram using the connection of the plurality of connections selected according to the second set of metadata and the priority to the computing entity, wherein each connection of the plurality of connections is associated with the IPsec security association.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is provided for securing network traffic across a plurality of connections to a computing device without requiring each connection to have its own security association. The system can include an IPsec encoder configured to obtain a datagram and encode a datagram, wherein the IPsec encoder includes a security association that is associated with a computing entity, a packet analyzer configured to associate metadata with the encoded datagram, and a gateway to transmit the encoded datagram using one of the plurality of connections to the computing device.

Citations

19 Claims

1. A system for securing network traffic over multiple connections, the system comprising:
- a classifier executable on an appliance comprising circuitry and configured to associate a first set of metadata with a datagram based on attributes of the datagram, wherein the first set of metadata includes a priority of the datagram and at least one of a source IP address of the datagram or a destination IP address of the datagram;
  
  an IPsec encoder executable on the appliance and configured to obtain the datagram and to encode the datagram, wherein the IPsec encoder includes an IPsec security association for a plurality of connections between the appliance and a computing entity;
  
  a packet analyzer executable on the appliance and configured to analyze the encoded datagram and the first set of metadata and to associate, responsive to the analysis, a second set of metadata with the encoded datagram, wherein the second set of metadata includes information for routing the encoded datagram; and
  
  a gateway configured to;
  
  select a connection from the plurality of connections according to the second set of metadata associated with the encoded datagram and the priority of the datagram;
  
  transmit the encoded datagram using the connection of the plurality of connections selected according to the second set of metadata and the priority to the computing entity, wherein each connection of the plurality of connections is associated with the IPsec security association.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, further comprising:
    - a link evaluator configured to evaluate the plurality of connections; and
      
      wherein the packet router is further configured to route the encoded datagram based at least on one of the first set of associated metadata and the second set of associated metadata, and the evaluation of the plurality of connections.
  - 3. The system of claim 1, wherein the first set of metadata associated with the encoded datagram includes at least one of a timestamp or a sequence n umber.
  - 4. The system of claim 1, wherein the computing device is configured to:
    - receive one or more encoded datagrams;
      
      organize the one or more encoded datagrams partially based on the first set of metadata;
      
      anddecode the one or more encoded datagrams using the security association that is associated with the computing entity.
  - 5. The system of claim 1, wherein the computing entity includes at least one of a second appliance and a second gateway and is connected to the gateway via the plurality of connections.
  - 6. The system of claim 1, wherein the IPsec security association defines a set of security parameters for the plurality of connections between the appliance and the computing entity.
  - 7. The system of claim 1, wherein the IPsec security association includes an encryption key for decrypting encoded datagrams transmitted via the plurality of connections.

8. A method for securing network traffic over multiple connections, comprising:
- obtaining, by a first computing entity including circuitry, a datagram;
  
  associating, by the first computing entity, a first set of metadata with the datagram based on attributes of the datagram, wherein the first set of metadata includes a priority of the datagram and at least one of a source IP address or a destination IP address of the datagram;
  
  encoding, by the first computing entity, the datagram using an encoding consistent with IPsec, wherein an IPsec security association is associated with a plurality of connections between the first computing entity and a second computing entity;
  
  analyzing, by the first computing entity, the encoded datagram and the first set of metadata;
  
  associating, by the first computing entity, responsive to the analysis, a second set of metadata with the encoded datagram, wherein the second set of metadata includes information for routing the encoded datagram;
  
  selecting a connection of the plurality of connections from the first computing entity to the second computing entity based at least on the second set of metadata associated with the datagram and the priority of the datagram, wherein each connection of the plurality of connections is associated with the IPsec security association; and
  
  transmitting the encoded datagram across the selected connection to the second computing entity.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further comprising:
    - evaluating the plurality of connections; and
      
      routing the encoded datagram based at least on one of the first set of metadata and the second set of metadata and the evaluations of the plurality of connections.
  - 10. The method of claim 8, wherein the first set of metadata associated with the encoded datagram includes at least one of a timestamp or a sequence number.
  - 11. The method of claim 10, wherein the at least one of the timestamp or the sequence number is used for organizing the one or more encoded datagrams at the computing entity.
  - 12. The method of claim 8, wherein the IPsec security association defines a set of security parameters for the plurality of connections between the first computing entity and the second computing entity.
  - 13. The method of claim 8, wherein the IPsec security association includes an encryption key for decrypting encoded datagrams transmitted across the plurality of connections.

14. A non-transitory computer readable storage medium storing instructions that are executable by one or more processors to cause the one or more processors to perform operations, comprising:
- obtaining a datagram;
  
  associating a first set of metadata with the datagram based on attributes of the datagram, wherein the first set of metadata includes a priority of the datagram and at least one of a source IP address or a IP destination IP address of the datagram;
  
  encoding the datagram using an encoding consistent with IPsec, wherein an IPsec security association is associated with a plurality of connections between a first computing entity and a second computing entity;
  
  analyzing the encoded datagram and first set of metadata,associating, responsive to the analysis, a second set of metadata with the encoded datagram, wherein the second set of metadata includes information for routing the encoded datagram;
  
  selecting a connection of the plurality of connections from the first computing entity to the second computing entity based at least on the second set of metadata associated with the datagram and the priority of the datagram, wherein each connection of the plurality of connections is associated with the IPsec security association; and
  
  transmitting the encoded datagram across the selected connection one of a plurality of connections from the first computing entity to the second computing entity.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer readable storage medium of claim 14, wherein the set of instructions that are executable by the one or more processors to cause the one or more processors to further perform:
    - evaluating the plurality of connections; and
      
      routing the encoded datagram based at least on one of the first set of metadata and the second set of metadata and the evaluation of the plurality of connections.
  - 16. The non-transitory computer readable storage medium of claim 14, wherein the metadata associated with the encoded datagram includes at least one of a timestamp or a sequence number.
  - 17. The non-transitory computer readable storage medium of claim 14, wherein the at least one of the timestamp or the sequence number is used for organizing the one or more encoded datagrams at the computing entity.
  - 18. The non-transitory computer readable storage medium of claim 14, wherein the IPsec security association defines a set of security parameters for the plurality of connections between the first computing entity and the second computing entity.
  - 19. The non-transitory computer readable storage medium of claim 14, wherein the IPsec security association includes an encryption key for decrypting encoded datagrams transmitted across the plurality of connections.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Murgia, Marco Antonio
Primary Examiner(s)
Gracia, Gary S

Application Number

US14/811,695
Publication Number

US 20170034213A1
Time in Patent Office

1,113 Days
Field of Search

380 44, 370235, 370236, 726 1, 726 3, 713151, 713160
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04W 76/12   Setup of transport tunnels

Efficient use of IPsec tunnels in multi-path environment

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient use of IPsec tunnels in multi-path environment

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links