Establishing consistent, end-to-end protection for a user datagram

US 6,931,529 B2
Filed: 01/05/2001
Issued: 08/16/2005
Est. Priority Date: 01/05/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product for providing end-to-end protection for datagrams in a computer networking environment, the computer program product embodied on one or more computer-readable media and comprising:

computer-readable program code means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;

computer-readable program code means for establishing a first protected network segment from the datagram originator to a first of one or more gateways in the network path;

computer-readable program code means for cascading zero or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways; and

computer-readable program code means for cascading a last protected network segment from a final one of the gateways to the datagram destination, wherein the final gateway is the first gateway if no gateway-to-gateway segments are required, wherein each of the gateways retains cleartext access to datagrams sent on the network path.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer program product for providing consistent, end-to-end protection within a computer network for user datagrams (i.e. packets) traveling through the network. The network may comprise network segments that are conventionally assumed to be secure (such as those found in a corporate intranet) as well as network segments in non-secure networks (such as the public Internet or corporate extranets). Because security breaches may in fact happen in any network segment when datagrams are unprotected, the present invention discloses a technique for protecting datagrams throughout the entire network path by establishing cascaded tunnels. The datagrams may be exposed in cleartext at the endpoints of each tunnel, thereby enabling security gateways to perform services that require content inspection (such as network address translation, access control and authorization, and so forth). The preferred embodiment is used with the “IPSec” (Internet Protocol Security Protocol) and “IKE” (Internet Key Exchange) protocols, thus providing a standards-based solution.

193 Citations

45 Claims

1. A computer program product for providing end-to-end protection for datagrams in a computer networking environment, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
  
  computer-readable program code means for establishing a first protected network segment from the datagram originator to a first of one or more gateways in the network path;
  
  computer-readable program code means for cascading zero or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways; and
  
  computer-readable program code means for cascading a last protected network segment from a final one of the gateways to the datagram destination, wherein the final gateway is the first gateway if no gateway-to-gateway segments are required, wherein each of the gateways retains cleartext access to datagrams sent on the network path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer program product according to claim 1, wherein the computer-readable program code means for establishing and the computer-readable program code means for cascading further comprise computer-readable program code means for establishing security associations which use strong cryptographic techniques.
  - 3. The computer program product according to claim 2, wherein the strong cryptographic techniques used for the security associations are provided by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol.
  - 4. The computer program product according to claim 3, wherein the datagram originator and the gateways that perform the computer-readable program code means for cascading each act in an IKE initiator role.
  - 5. The computer program product according to claim 1, wherein the computer-readable program code means for cascading further comprises computer-readable program code means for using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments and the last protected network segment.
  - 6. The computer program product according to claim 5, wherein the identifying information further comprises addresses of the datagram originator and the datagram destination.
  - 7. The computer program product according to claim 6, wherein the identifying information further comprises a protocol identification and a port number used for the first protected network segment.
  - 8. The computer program product according to claim 5 or claim 6, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway.
  - 9. The computer program product according to claim 5, wherein the identifying information may be altered by zero or more of the gateways.
  - 10. The computer program product according to claim 1, wherein the datagram originator and the gateways that perform the computer-readable program code means for cascading each act in an initiator role for a protocol known as Internet Key Exchange.
  - 11. The computer program product according to claim 1, wherein any of the gateways may perform services on the cleartext datagram.
  - 12. The computer program product according to claim 1, wherein operation of the computer-readable program code means for cascading may be selectively enabled for any particular network path.
  - 13. The computer program product according to claim 12, wherein the selective enablement occurs by setting a cascading-enabled flag for the first protected network segment, and wherein datagrams sent on the network path are not protected using cascaded protected segments when the computer-readable program code means for cascading is disabled.
  - 14. The computer program product according to claim 1, wherein each of the protected network segments has a security policy associated therewith and wherein the security policies may vary among the protected network segments.

15. A system for providing end-to-end protection for datagrams in a computer networking environment, comprising:
- means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
  
  means for establishing a first protected network segment from the datagram originator to a first of one or more gateways in the network path;
  
  means for cascading zero or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways; and
  
  means for cascading a last protected network segment from a final one of the gateways to the datagram destination, wherein the final gateway is the first gateway if no gateway-to-gateway segments are required, wherein each of the gateways retains cleartext access to datagrams sent on the network path.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The system according to claim 15, wherein the means for establishing and the means for cascading comprise means for establishing security associations which use strong cryptographic techniques.
  - 17. The system according to claim 16, wherein the strong cryptographic techniques used for the security associations are provided by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol.
  - 18. The system according to claim 17, wherein the datagram originator and the gateways that perform the means for cascading each act in an IKE initiator role.
  - 19. The system according to claim 15, wherein the means for cascading further comprises means for using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments and the last protected network segment.
  - 20. The system according to claim 19, wherein the identifying information further comprises addresses of the datagram originator and the datagram destination.
  - 21. The system according to claim 19 or claim 20, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway.
  - 22. The system according to claim 19, wherein the identifying information may be altered by zero or more of the gateways.
  - 23. The system according to claim 20, wherein the identifying information further comprises a protocol identification and a port number used for the first protected network segment.
  - 24. The system according to claim 15, wherein the datagram originator and the gateways that perform the means for cascading each act in an initiator role for a protocol known as Internet Key Exchange.
  - 25. The system according to claim 15, wherein any of the gateways may perform services on the cleartext datagram.
  - 26. The system according to claim 15, wherein operation of the means for cascading may be selectively enabled for any particular network path.
  - 27. The system according to claim 26, wherein the selective enablement occurs by setting a cascading-enabled flag for the first protected network segment, and wherein datagrams sent on the network path are not protected using cascaded protected segments when the means for cascading is disabled.
  - 28. The system according to claim 15, wherein each of the protected network segments has a security policy associated therewith and wherein the security policies may vary among the protected network segments.

29. A method of providing end-to-end protection for datagrams in a computer networking environment, comprising steps of:
- protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising steps of;
  
  establishing a first protected network segment from the datagram originator to a first of one or more gateways in the network path;
  
  cascading zero or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways; and
  
  cascading a last protected network segment from a final one of the gateways to the datagram destination, wherein the final gateway is the first gateway if no gateway-to-gateway segments are required, wherein each of the gateways retains cleartext access to datagrams sent on the network path.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 33. The method according to claim 29, wherein the cascading step further comprises the step of using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments and the last protected network segment.
  - 34. The method according to claim 33, wherein the identifying information further comprises addresses of the datagram originator and the datagram destination.
  - 35. The method according to claim 34, wherein the identifying information further comprises a protocol identification and a port number used for the first protected network segment.
  - 36. The method according to claim 33 or claim 34, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway.
  - 37. The method according to claim 33, wherein the identifying information may be altered by zero or more of the gateways.
  - 38. The method according to claim 29, wherein the datagram originator and the gateways that perform the cascading step each act in an initiator role for a protocol known as Internet Key Exchange.
  - 39. The method according to claim 29, wherein any of the gateways may perform services on the cleartext datagram.
  - 40. The method according to claim 29, wherein operation of the cascading step may be selectively enabled for any particular network path.
  - 41. The method according to claim 40, wherein the selective enablement occurs by setting a cascading-enabled flag for the first protected network segment, and wherein datagrams sent on the network path are not protected using cascaded protected segments when the cascading step is disabled.
  - 42. The method according to claim 29, wherein each of the protected network segments has a security policy associated therewith and wherein the security policies may vary among the protected network segments.

30. The method according to claim 30, wherein the establishing step and the cascading step further comprise the step of establishing security associations which use strong cryptographic techniques.

31. The method according to claim 31, wherein the strong cryptographic techniques used for the security associations are provided by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol.
- View Dependent Claims (32)
- - 32. The method according to claim 31, wherein the datagram originator and the gateways that perform the cascading step each act in an IKE initiator role.

43. A computer program product for providing end-to-end protection for datagrams in a computer networking environment, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
  
  computer-readable program code means for establishing a first protected network segment from the datagram originator to a first of a plurality of gateways in the network path;
  
  computer-readable program code means for cascading one or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways, using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway; and
  
  computer-readable program code means for cascading a last protected network segment from a final one of the gateways to the datagram destination, using the identifying information from the first protected network segment as identifying information of the last protected network segment, wherein each of the gateways retains cleartext access to datagrams sent on the network path.

44. A system for providing end-to-end protection for datagrams in a computer networking environment, comprising:
- means for protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising;
  
  means for establishing a first protected network segment from the datagram originator to a first of a plurality of gateways in the network path;
  
  means for cascading one or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways, using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway; and
  
  means for cascading a last protected network segment from a final one of the gateways to the datagram destination, using the identifying information from the first protected network segment as identifying information of the last protected network segment, wherein each of the gateways retains cleartext access to datagrams sent on the network path.

45. A method of providing end-to-end protection for datagrams in a computer networking environment, comprising steps of:
- protecting each of a plurality of network segments that comprise a network path from a datagram originator to a datagram destination, further comprising steps of;
  
  establishing a first protected network segment from the datagram originator to a first of a plurality of gateways in the network path;
  
  cascading one or more protected gateway-to-gateway segments along the network path, each of the gateway-to-gateway segments being cascaded from one of the gateways in the network path to a next successive one of the gateways, using identifying information from the first protected network segment as identifying information of the protected gateway-to-gateway segments, wherein the identifying information is copied from an inbound side of each gateway to an outbound side of that gateway; and
  
  cascading a last protected network segment from a final one of the gateways to the datagram destination, using the identifying information from the first protected network segment as identifying information of the last protected network segment, wherein each of the gateways retains cleartext access to datagrams sent on the network path.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kunzinger, Charles A.
Primary Examiner(s)
Song, Hosuk

Application Number

US09/754,893
Publication Number

US 20020091921A1
Time in Patent Office

1,684 Days
Field of Search

713200-201, 713/168, 713/160, 713/150, 713/153, 713/171, 713/189, 713/154, 709/200, 370/392, 370/351, 370400-401, 370/409, 370/464
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0471   applying encryption by an i...

H04L 63/164   at the network layer

Establishing consistent, end-to-end protection for a user datagram

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

193 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing consistent, end-to-end protection for a user datagram

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

193 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links