Facilitating secure network traffic by an application delivery controller

US 10,305,904 B2
Filed: 12/29/2017
Issued: 05/28/2019
Est. Priority Date: 05/03/2013
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating a secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:

receiving, by the network device, a data packet with information from a client indicating that the client is a trusted source;

embedding, by the network device, in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection, the sequence number including a server sequence number; and

forwarding, by the network device, the embedded data packet to a server, the server recognizing, based on the server sequence number, the embedded data packet as associated with the trusted source previously authenticated by the network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Facilitation of secure network traffic by an application delivery controller is provided herein. In some examples, a method includes: (a) receiving a data packet with information from a client indicating that the client is a trusted source; (b) embedding in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection; and (c) forwarding the embedded data packet to a server.

515 Citations

20 Claims

1. A method for facilitating a secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:
- receiving, by the network device, a data packet with information from a client indicating that the client is a trusted source;
  
  embedding, by the network device, in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection, the sequence number including a server sequence number; and
  
  forwarding, by the network device, the embedded data packet to a server, the server recognizing, based on the server sequence number, the embedded data packet as associated with the trusted source previously authenticated by the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the data packet received from the client comprises a synchronization (SYN)-cookie received from the network device, wherein the SYN-cookie comprises a sequence number for the network device and an acknowledgement (ACK) that includes a sequence number of the client.
  - 3. The method of claim 2, wherein the network device does not retain information from the data packet until the ACK has been received from the client and a network connection has been established between the server and the client.
  - 4. The method of claim 3, wherein the TCP options header is embedded into the ACK, the ACK being forwarded to the server.
  - 5. The method of claim 3, wherein the network device does not retain the TCP options when the network device is operating in a stateless mode.
  - 6. The method of claim 1, wherein the TCP options comprise a maximum segment size, a window scale, and a selective acknowledgement message, wherein the selective acknowledgement message is used for selective retransmission of individual data packets that were not received by the server.
  - 7. The method of claim 1, wherein TCP options are included in the data packet received from the client.
  - 8. The method of claim 1, further comprising authenticating the client by the network device.
  - 9. The method of claim 8, further comprising embedding or stamping at least one of a server sequence number, a client maximum segment size, a client timestamp, and information required for the server to process the embedded data packet.
  - 10. The method of claim 1, wherein the TCP options are embodied in a single message having a predetermined length of bits, wherein the length of bits is separated into segments, each of the segments comprising bits representing one of the TCP options.

11. A method for facilitating secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:
- receiving, at the network device, a data packet with information from a client indicating that the client is a trusted source;
  
  modifying, by the network device, an Internet protocol (IP) header of the data packet with an encoded value from an index table, the encoded value comprising information including at least a sequence number for a protocol connection, the sequence number including a server sequence number; and
  
  forwarding, by the network device, the data packet with the modified IP header to a server, the server recognizing, based on the server sequence number, the data packet as associated with the trusted source previously authenticated by the network device.
- View Dependent Claims (12)
- - 12. The method of claim 11, further comprising:
    - authenticating the client;
      
      computing parameters included in a synchronization (SYN) packet received from the client;
      
      selecting a combination of parameters from the index table based on the computed parameters; and
      
      encoding the combination of parameters into an IP identification field of IP header of the data packet.

13. A method for facilitating a secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:
- receiving a data packet with information from a client indicating that the client is a trusted source;
  
  communicating, in a first channel established between the network device and a server, connection parameters included in a synchronization (SYN) packet received from the client, the connection parameters comprising parameters necessary for data transfer over the secure network, the connection parameters comprising information including at least a sequence number for a protocol connection, the sequence number including a server sequence number; and
  
  forwarding, in a second channel established between the network device and the server, data packets of a data flow from the client, the server recognizing, based on the server sequence number, the data packet as associated with the trusted source previously authenticated by the network device.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the parameters comprise at least one of sequence numbers, timestamp, and window size.

15. An application delivery controller, comprising:
- a processor; and
  
  a memory for storing executable instructions, the processor being configured to execute the instructions to;
  
  receive a data packet with information from a client indicating that the client is a trusted source;
  
  perform either;
  
  (1) an embedding of a transmission control protocol (TCP) options header in the data packet, the TCP options header comprising parameters for a protocol connection, the parameters including at least a sequence number for the protocol connection, the sequence number including a server sequence number, or (2) a modification of an Internet protocol (IP) header of the data packet with an encoded value from an index table, the encoded value including the server sequence number; and
  
  forward the embedded or modified data packet to a server, the server recognizing, based on the server sequence number, the embedded or modified data packet as associated with a trusted source previously authenticated by the processor.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The application delivery controller of claim 15, wherein the application delivery controller comprises a module that is configured to place an acknowledgement (ACK) packet in the IP header of the data packet.
  - 17. The application delivery controller of claim 16, wherein the application delivery controller is configured to use IP tunneling to transfer the modified data packet with the modified IP header to the server.
  - 18. The application delivery controller of claim 17, wherein the data included in the TCP header is placed into a tunnel header.
  - 19. The application delivery controller of claim 15, wherein the application delivery controller is configured to determine TCP options that the server is capable of providing.
  - 20. The application delivery controller of claim 19, wherein the application delivery controller is configured to adjust the parameters in the TCP options header with the TCP options that the server is capable of providing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Jalan, Rajkumar, Kamat, Gurudeep
Primary Examiner(s)
Book, Phyllis A

Application Number

US15/858,382
Publication Number

US 20180124052A1
Time in Patent Office

515 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0892   by using authentication-aut...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

Facilitating secure network traffic by an application delivery controller

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

515 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating secure network traffic by an application delivery controller

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

515 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links