Efficient use of IPsec tunnels in multi-path environment
First Claim
Patent Images
1. A system for securing network traffic over multiple connections, the system comprising:
- a classifier executable on an appliance comprising circuitry and configured to associate a first set of metadata with a datagram based on attributes of the datagram, wherein the first set of metadata includes a priority of the datagram and at least one of a source IP address of the datagram or a destination IP address of the datagram;
an IPsec encoder executable on the appliance and configured to obtain the datagram and to encode the datagram, wherein the IPsec encoder includes an IPsec security association for a plurality of connections between the appliance and a computing entity;
a packet analyzer executable on the appliance and configured to analyze the encoded datagram and the first set of metadata and to associate, responsive to the analysis, a second set of metadata with the encoded datagram, wherein the second set of metadata includes information for routing the encoded datagram; and
a gateway configured to;
select a connection from the plurality of connections according to the second set of metadata associated with the encoded datagram and the priority of the datagram;
transmit the encoded datagram using the connection of the plurality of connections selected according to the second set of metadata and the priority to the computing entity, wherein each connection of the plurality of connections is associated with the IPsec security association.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method is provided for securing network traffic across a plurality of connections to a computing device without requiring each connection to have its own security association. The system can include an IPsec encoder configured to obtain a datagram and encode a datagram, wherein the IPsec encoder includes a security association that is associated with a computing entity, a packet analyzer configured to associate metadata with the encoded datagram, and a gateway to transmit the encoded datagram using one of the plurality of connections to the computing device.
-
Citations
19 Claims
-
1. A system for securing network traffic over multiple connections, the system comprising:
-
a classifier executable on an appliance comprising circuitry and configured to associate a first set of metadata with a datagram based on attributes of the datagram, wherein the first set of metadata includes a priority of the datagram and at least one of a source IP address of the datagram or a destination IP address of the datagram; an IPsec encoder executable on the appliance and configured to obtain the datagram and to encode the datagram, wherein the IPsec encoder includes an IPsec security association for a plurality of connections between the appliance and a computing entity; a packet analyzer executable on the appliance and configured to analyze the encoded datagram and the first set of metadata and to associate, responsive to the analysis, a second set of metadata with the encoded datagram, wherein the second set of metadata includes information for routing the encoded datagram; and a gateway configured to; select a connection from the plurality of connections according to the second set of metadata associated with the encoded datagram and the priority of the datagram; transmit the encoded datagram using the connection of the plurality of connections selected according to the second set of metadata and the priority to the computing entity, wherein each connection of the plurality of connections is associated with the IPsec security association. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for securing network traffic over multiple connections, comprising:
-
obtaining, by a first computing entity including circuitry, a datagram; associating, by the first computing entity, a first set of metadata with the datagram based on attributes of the datagram, wherein the first set of metadata includes a priority of the datagram and at least one of a source IP address or a destination IP address of the datagram; encoding, by the first computing entity, the datagram using an encoding consistent with IPsec, wherein an IPsec security association is associated with a plurality of connections between the first computing entity and a second computing entity; analyzing, by the first computing entity, the encoded datagram and the first set of metadata; associating, by the first computing entity, responsive to the analysis, a second set of metadata with the encoded datagram, wherein the second set of metadata includes information for routing the encoded datagram; selecting a connection of the plurality of connections from the first computing entity to the second computing entity based at least on the second set of metadata associated with the datagram and the priority of the datagram, wherein each connection of the plurality of connections is associated with the IPsec security association; and transmitting the encoded datagram across the selected connection to the second computing entity. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer readable storage medium storing instructions that are executable by one or more processors to cause the one or more processors to perform operations, comprising:
-
obtaining a datagram; associating a first set of metadata with the datagram based on attributes of the datagram, wherein the first set of metadata includes a priority of the datagram and at least one of a source IP address or a IP destination IP address of the datagram; encoding the datagram using an encoding consistent with IPsec, wherein an IPsec security association is associated with a plurality of connections between a first computing entity and a second computing entity; analyzing the encoded datagram and first set of metadata, associating, responsive to the analysis, a second set of metadata with the encoded datagram, wherein the second set of metadata includes information for routing the encoded datagram; selecting a connection of the plurality of connections from the first computing entity to the second computing entity based at least on the second set of metadata associated with the datagram and the priority of the datagram, wherein each connection of the plurality of connections is associated with the IPsec security association; and transmitting the encoded datagram across the selected connection one of a plurality of connections from the first computing entity to the second computing entity. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification