Process and system providing internet protocol security without secure domain resolution

US 7,296,155 B1
Filed: 12/17/2001
Issued: 11/13/2007
Est. Priority Date: 06/08/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A computer system providing Internet protocol security without secure domain name resolution, the system comprising:

a local domain name service (DNS) server that is communicatively coupled to a processor and that includes a secure Internet security protocol (IPSEC) cache, wherein the secure IPSEC cache comprises a plurality of cache entries, wherein each cache entry comprises a domain name and information that uniquely associates the cache entry with a particular application process or execution time, wherein the secure IPSEC cache is readable only by an Internet protocol (IP) processing layer of an operating system that controls execution of an application program by the processor;

a security policy data store that is communicatively coupled to the IP processing layer;

a computer-readable medium accessible to the processor and comprising one or more sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;

receiving a message generated as a result of execution of the application program and that contains a domain name to be resolved by the local DNS server;

storing, in a first of the cache entries, the domain name contained in the message and identifying information that uniquely associates the first cache entry with a particular application process or execution time;

receiving a data packet from the application;

in response to receiving the data packet from the application, locating an entry in the secure IPSEC cache,based on the identifying information in the located cache entry, verifying that the domain name in the located entry matches the domain name in the message;

querying the security policy data store for an IPSEC policy matching the domain name in the located entry, wherein the IP processing layer verifies that the policy matches the domain name contained in the message;

in response to obtaining an IPSEC policy, applying the IPSEC policy to the data packet; and

purging the matching entry from the cache.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method providing Internet protocol security without secure domain name resolution are disclosed. A processor that periodically needs to resolve domain names into network addresses has a local DNS server that includes a secure IPSEC cache, a resolver function, a security policy database, and an IPSEC layer. The cache is readable only by the IPSEC layer. Resolved domain names are cached with process and transaction identifiers that uniquely associate the resolved names with an application process and time. When resolution is needed, the cache is used to ensure that IP addresses are resolved from names that came from the application. As a result, IPSEC connections may be established without use of DNSSEC to provide secure domain name resolution.

135 Citations

23 Claims

1. A computer system providing Internet protocol security without secure domain name resolution, the system comprising:
- a local domain name service (DNS) server that is communicatively coupled to a processor and that includes a secure Internet security protocol (IPSEC) cache, wherein the secure IPSEC cache comprises a plurality of cache entries, wherein each cache entry comprises a domain name and information that uniquely associates the cache entry with a particular application process or execution time, wherein the secure IPSEC cache is readable only by an Internet protocol (IP) processing layer of an operating system that controls execution of an application program by the processor;
  
  a security policy data store that is communicatively coupled to the IP processing layer;
  
  a computer-readable medium accessible to the processor and comprising one or more sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving a message generated as a result of execution of the application program and that contains a domain name to be resolved by the local DNS server;
  
  storing, in a first of the cache entries, the domain name contained in the message and identifying information that uniquely associates the first cache entry with a particular application process or execution time;
  
  receiving a data packet from the application;
  
  in response to receiving the data packet from the application, locating an entry in the secure IPSEC cache,based on the identifying information in the located cache entry, verifying that the domain name in the located entry matches the domain name in the message;
  
  querying the security policy data store for an IPSEC policy matching the domain name in the located entry, wherein the IP processing layer verifies that the policy matches the domain name contained in the message;
  
  in response to obtaining an IPSEC policy, applying the IPSEC policy to the data packet; and
  
  purging the matching entry from the cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A computer system as recited in claim 1, wherein each cache entry further comprises one or more IP addresses that correspond to the domain name for the entry.
  - 3. A computer system as recited in claim 2, wherein the step of verifying that the domain name in the located entry matches the domain name contained in the message further comprises the step of searching the secure IPSEC cache for an entry that matches a process identifier of the application program.
  - 4. A computer system as recited in claim 2, wherein the information, for each cache entry, that uniquely associates the cache entry with a particular application process or execution time comprises a process identifier value and a transaction identifier value.
  - 5. A computer system as recited in claim 4, wherein the step of verifying that the domain name in the located entry matches the domain name contained in the message further comprises the step of searching the secure IPSEC cache for an entry that matches a process and transaction associated with the application program.
  - 6. A computer system as recited in claim 1, further comprising the step of querying the security policy database for an IPSEC policy based on an IP address that is resolved from the domain name received from the application program only when a matching cache entry is not found by searching the cache based on the domain name.
  - 7. A computer system as recited in claim 1, further comprising the steps of:
    - wherein the message is a request to resolve the domain name into network addresses;
      
      resolving the domain name using the local DNS server, resulting in generating one or more network addresses corresponding to the domain name;
      
      determining the identifier information that uniquely associates the request with a particular application process or execution time; and
      
      storing the network addresses in the first cache entry of the secure IPSEC cache.

8. A method for providing Internet protocol security without secure domain name resolution, the method comprising the computer-implemented steps of:
- receiving a message generated as a result of execution of an application program and that contains a domain name to be resolved by the local DNS server;
  
  storing, in a first cache entry of a secure Internet security protocol (IPSEC) cache, the domain name contained in the message and identifying information that uniquely associates the first cache entry with a particular application process or execution time, wherein the secure IPSEC cache is communicatively coupled to a local domain name service (DNS) server, and wherein the secure IPSEC cache is readable only by an Internet protocol (IP) processing layer of an operating system that controls execution of the application program, and wherein each cache entry comprises information that uniquely associates the cache entry with a particular application process or execution time;
  
  receiving a data packet from the application;
  
  in response to receiving the data packet from the application, locating an entry in the secure IPSEC cache;
  
  based on the identifying information in the located cache entry, verifying that the domain name in the located entry matches the domain name in the message;
  
  in response to obtaining an IPSEC policy, querying a security policy data store that is communicatively coupled to the IP processing layer for an IPSEC policy matching the domain name in the located entry, wherein the IP processing layer verifies that the policy matches the domain name contained in the message;
  
  applying the IPSEC policy to the data packet; and
  
  purging the matching entry from the cache.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A method as recited in claim 8, wherein each cache entry further comprises one or more IP addresses that correspond to the domain name for the entry.
  - 10. A method as recited in claim 9, wherein the step of verifying that the domain name in the located entry matches the domain name contained in the message further comprises the step of searching the secure IPSEC cache for an entry that matches a process identifier of the application program.
  - 11. A method as recited in claim 9, wherein the information, for each cache entry, that uniquely associates the cache entry with a particular application process or execution time comprises a process identifier value and a transaction identifier value.
  - 12. A method as recited in claim 11, wherein the step of verifying that the domain name in the located entry matches the domain name contained in the message further comprises the step of searching the secure IPSEC cache for an entry that matches a process and transaction associated with the application program.
  - 13. A method as recited in claim 8, further comprising the step of querying the security policy database for an IPSEC policy based on an IP address that is resolved from the domain name received from the application program only when a matching cache entry is not found by searching the cache based on the domain name.
  - 14. A method as recited in claim 8, further comprising the steps of:
    - wherein the message is a request to resolve the domain name into network addresses;
      
      resolving the domain name using the local DNS server, resulting in generating one or more network addresses corresponding to the DNS name;
      
      determining the identifier information that uniquely associates the request with a particular application process or execution time; and
      
      storing the network addresses in the first cache entry of the secure IPSEC cache.

15. A computer-readable medium carrying one or more sequences of instructions for providing Internet protocol security without secure domain name resolution, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving a message generated as a result of execution of an application program and that contains a domain name to be resolved by the local DNS server;
  
  storing, in a first cache entry of a secure Internet security protocol (IPSEC) cache, the domain name contained in the message and identifying information that uniquely associates the first cache entry with a particular application process or execution time, wherein the secure IPSEC cache is communicatively coupled to a local domain name service (DNS) server, and wherein the secure IPSEC cache is readable only by an Internet protocol (IP) processing layer of an operating system that controls execution of the application program, and wherein each cache entry comprises information that uniquely associates the cache entry with a particular application process or execution time;
  
  receiving a data packet from the application;
  
  in response to receiving the data packet from the application, locating an entry in the secure IPSEC cache;
  
  based on the identifying information in the located cache entry, verifying that the domain name in the located entry matches the domain name in the message;
  
  in response to obtaining an IPSEC policy, querying a security policy data store that is communicatively coupled to the IP processing layer for an IPSEC policy matching the domain name in the located entry, wherein the IP processing layer verifies that the policy matches the domain name contained in the message;
  
  applying the IPSEC policy to the data packet; and
  
  purging the matching entry from the cache.

16. An apparatus for providing Internet protocol security without secure domain name resolution, comprising:
- means for receiving a message generated as a result of execution of an application program and that contains a domain name to be resolved by the local DNS server;
  
  means for storing, in a first cache entry of a secure Internet security protocol (IPSEC) cache, the domain name contained in the message and identifying information that uniquely associates the first cache entry with a particular application process or execution time, wherein the secure IPSEC cache is communicatively coupled to a local domain name service (DNS) server, and wherein the secure IPSEC cache is readable only by an Internet protocol (IP) processing layer of an operating system that controls execution of the application program, and wherein each cache entry comprises information that uniquely associates the cache entry with a particular application process or execution time,means for receiving a data packet from the application;
  
  in response to receiving the data packet from the application, means for locating an entry in the secure IPSEC cache;
  
  based on the identifying information in the located cache entry, means for verifying that the domain name in the located entry matches the domain name in the message;
  
  means for querying a security policy data store that is communicatively coupled to the IP processing layer for an IPSEC policy matching the domain name in the located entry, wherein the IP processing layer verifies that the policy matches the domain name contained in the message;
  
  means for applying the IPSEC policy to the data packet; and
  
  means for purging the matching entry from the cache.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. An apparatus as recited in claim 16, wherein each cache entry further comprises one or more IP addresses that correspond to the domain name for the entry.
  - 18. A apparatus as recited in claim 17, wherein the means for verifying that the domain name in the located entry matches the domain name contained in the message further comprises means for searching the secure IPSEC cache for an entry that matches a process identifier of the application program.
  - 19. A apparatus as recited in claim 18, wherein the information, for each cache entry, that uniquely associates the cache entry with a particular application process or execution time comprises a process identifier value and a transaction identifier value.
  - 20. A apparatus as recited in claim 19, wherein the means for verifying that the domain name in the located entry matches the domain name contained in the message further comprises means for searching the secure IPSEC cache for an entry that matches a process and transaction associated with the application program.
  - 21. A apparatus as recited in claim 16, further comprising means for querying the security policy database for an IPSEC policy based on an IP address that is resolved from the domain name received from the application program only when a matching cache entry is not found by searching the cache based on the domain name.
  - 22. An apparatus as recited in claim 16, wherein the message is a request to resolve the domain name into network addresses;
    - and further comprising;
      
      means for resolving the domain name the local DNS server, resulting in generating one or more network addresses corresponding to the domain name;
      
      means for determining identifier information that uniquely associates the request with a particular application process or execution time; and
      
      means for storing the network addresses as an entry in the secure IPSEC cache.

23. An apparatus for providing Internet protocol security, without secure domain name resolution, for messages that are carried by a packet-switched data network, comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving a message generated as a result of execution of an application program and that contains a domain name to be resolved by the local DNS server;
  
  storing, in a first cache entry of a secure Internet security protocol (IPSEC) cache, the domain name contained in the message and identifying information that uniquely associates the first cache entry with a particular application process or execution time, wherein the secure IPSEC cache is communicatively coupled to a local domain name service (DNS) server, and wherein the secure IPSEC cache is readable only by an Internet protocol (IP) processing layer of an operating system that controls execution of the application program, and wherein each cache entry comprises information that uniquely associates the cache entry with a particular application process or execution time;
  
  receiving a data packet from the application;
  
  in response to receiving the data packet from the application, locating an entry in the secure IPSEC cache;
  
  based on the identifying information in the located cache entry, verifying that the domain name in the located entry matches the domain name in the message;
  
  in response to obtaining an IPSEC policy, querying a security policy data store that is communicatively coupled to the IP processing layer for an IPSEC policy matching the domain name in the located entry, wherein the IP processing layer verifies that the policy matches the domain name contained in the message;
  
  applying the IPSEC policy to the data packet; and
  
  purging the matching entry from the cache.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Trostle, Jonathan, Gossman, William
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Wyszynski; Aubrey H

Application Number

US10/023,622
Time in Patent Office

2,157 Days
Field of Search

709/226, 709/249, 709/250, 713/201, 713/160, 713/156, 713/170, 726/3, 726/4, 726/5, 726/6
US Class Current

713/170
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

H04L 63/164 at the network layer

Process and system providing internet protocol security without secure domain resolution

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

135 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Process and system providing internet protocol security without secure domain resolution

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links