Security enabled network access control

US 20030188192A1
Filed: 03/27/2002
Published: 10/02/2003
Est. Priority Date: 03/27/2002
Status: Active Grant

First Claim

Patent Images

1. An access control system comprising:

a network device having a plurality of network interfaces for receiving and transmitting packets of data, the network device including a forwarding element to apply filter rules to the packets; and

a filter rule constructor engine associated with said forwarding element to receive access control rules and decryption information for a security protocol, derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol, and transmit the set of filter rules to the at least one forwarding element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control system including a network device having a plurality of network interfaces for receiving and transmitting packets of data, the network device including a forwarding element to apply filter rules to the packets, and a filter rule constructor engine associated with said forwarding element to receive access control rules and decryption information for a security protocol, derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol, and transmit the set of filter rules to the at least one forwarding element.

304 Citations

31 Claims

1. An access control system comprising:
- a network device having a plurality of network interfaces for receiving and transmitting packets of data, the network device including a forwarding element to apply filter rules to the packets; and
  
  a filter rule constructor engine associated with said forwarding element to receive access control rules and decryption information for a security protocol, derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol, and transmit the set of filter rules to the at least one forwarding element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the filter rule constructor engine also applies the derived set of filter rules to clear packet headers.
  - 3. The system of claim 1, wherein the security protocol is a secure Internet protocol.
  - 4. The system of claim 1, wherein the network device is a router and the filter rule constructor engine is on the same platform as the forwarding element.
  - 5. The system of claim 1, wherein the network device is connected to a Virtual Private Network (VPN).
  - 6. The system of claim 5, wherein the network device is also connected to an Internet host.
  - 7. The system of claim 1, wherein the set of filter rules includes a clear filter chain.
  - 8. The system of claim 7, wherein the set of filter rules further includes a plurality of filter chains to be applied to encrypted packet headers.
  - 9. The system of claim 1, wherein the security information is a Security Information Transport Protocol mapping table.
  - 10. The system of claim 9, wherein the SITP table includes a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, ESP protocol, a security payload index, a decryption algorithm, and a decryption key.
  - 11. The system of claim 10, wherein the access control rules are in a table which lists a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, the outer protocol, the ESP protocol, the inner source IP address, the inner destination IP address, the inner protocol, the source port, and the destination port.
  - 12. The system of claim 1, further comprising an engine to collect statistics from counters associated with the set of filter rules.
  - 13. The system of claim 1, wherein the statistics engine is integral with the filter rule constructor engine.

14. A machine-accessible medium with executable instructions stored thereon that, when accessed, perform the following operations:
- receive access control rules and security information for a security protocol;
  
  derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol; and
  
  transmit the set of filter rules to at least one forwarding element.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The article of claim 14, the instructions further operable to cause the machine to apply the derived set of filter rules to both clear packet headers and packet headers encrypted with the security protocol.
  - 16. The article of claim 14, further including instructions to receive security information for a secure Internet protocol.
  - 17. The article of claim 14, further including instructions to derive a set of filter rules that includes a clear filter chain.
  - 18. The article of claim 14, further including instructions to derive a set of filter rules that includes a plurality of filter chains to be applied to encrypted packet headers.
  - 19. The article of claim 14, further including instructions to receive security information in the form of a Security Information Transport Protocol mapping table.
  - 20. The article of claim 19, further including instructions to receive a Security Information Transport Protocol mapping table that includes a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, ESP protocol, a security payload index, a decryption algorithm, and a decryption key.
  - 21. The article of claim 14, further including instructions to receive access control rules in the form of a table which lists a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, the outer protocol, the ESP protocol, the inner source IP address, the inner destination IP address, the inner protocol, the source port, and the destination port.
  - 22. The article of claim 14, the instructions further operable to cause the machine to collect statistics from counters associated with the set of filter rules and reset the counters.

23. An access control method, comprising:
- receiving access control rules and decryption information for a security protocol;
  
  deriving from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol; and
  
  transmitting the set of filter rules to at least one forwarding element.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The method of claim 23, further comprising applying the derived set of filter rules to both clear packet headers and packet headers encrypted with the security protocol.
  - 25. The method of claim 23, wherein the security protocol is a secure Internet protocol.
  - 26. The method of claim 23, wherein the set of filter rules includes a clear filter chain.
  - 27. The method of claim 26, wherein the set of filter rules further includes a plurality of filter chains to be applied to encrypted packet headers.
  - 28. The method of claim 23, wherein the security information is a Security Information Transport Protocol mapping table.
  - 29. The method of claim 28, wherein the SITP table includes a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, ESP protocol, a security payload index, a decryption algorithm, and a decryption key.
  - 30. The method of claim 23, wherein the access control rules are in a table which lists a plurality of parameters selected from the group consisting of outer source IP address, the outer destination IP address, the outer protocol, the ESP protocol, the inner source IP address, the inner destination IP address, the inner protocol, the source port, and the destination port.
  - 31. The method of claim 23, further comprising collecting statistics from counters associated with the set of filter rules and resetting the counters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Liu, Hsin-Yuo, Tang, Puqi

Granted Patent

US 7,185,365 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

Security enabled network access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

304 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Security enabled network access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

304 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links