US20020062344A1 - Method and arrangement for secure tunneling of data between virtual routers - Google Patents

Method and arrangement for secure tunneling of data between virtual routers Download PDF

Info

Publication number
US20020062344A1
US20020062344A1 US09/151,744 US15174498A US2002062344A1 US 20020062344 A1 US20020062344 A1 US 20020062344A1 US 15174498 A US15174498 A US 15174498A US 2002062344 A1 US2002062344 A1 US 2002062344A1
Authority
US
United States
Prior art keywords
computer device
transmitting
virtual router
receiving
security association
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US09/151,744
Other versions
US6438612B1 (en
Inventor
Tatu Ylonen
Tero Kivinen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inside Secure SA
Original Assignee
SSH Communications Security Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SSH Communications Security Oy filed Critical SSH Communications Security Oy
Priority to US09/151,744 priority Critical patent/US6438612B1/en
Assigned to SSH COMMUNICATIONS SECURITY LTD. reassignment SSH COMMUNICATIONS SECURITY LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KIVINEN, TERO, YLONEN, TATU
Publication of US20020062344A1 publication Critical patent/US20020062344A1/en
Application granted granted Critical
Publication of US6438612B1 publication Critical patent/US6438612B1/en
Assigned to SFNT FINLAND OY reassignment SFNT FINLAND OY ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SSH COMMUNICATIONS SECURITY CORP.
Assigned to DEUTSCHE BANK TRUST COMPANY AMERICAS, AS COLLATERAL AGENT reassignment DEUTSCHE BANK TRUST COMPANY AMERICAS, AS COLLATERAL AGENT FIRST LIEN PATENT SECURITY AGREEMENT Assignors: SAFENET, INC.
Assigned to DEUTSCHE BANK TRUST COMPANY AMERICAS, AS COLLATERAL AGENT reassignment DEUTSCHE BANK TRUST COMPANY AMERICAS, AS COLLATERAL AGENT SECOND LIEN PATENT SECURITY AGREEMENT Assignors: SAFENET, INC.
Assigned to SAFENET, INC. reassignment SAFENET, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SFNT FINLAND OY
Assigned to SAFENET, INC. reassignment SAFENET, INC. PARTIAL RELEASE OF COLLATERAL Assignors: DEUTSCHE BANK TRUST COMPANY AMERICAS, AS FIRST AND SECOND LIEN COLLATERAL AGENT
Assigned to AUTHENTEC, INC. reassignment AUTHENTEC, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SAFENET, INC.
Assigned to SSH COMMUNICATIONS SECURITY CORP. reassignment SSH COMMUNICATIONS SECURITY CORP. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SSH COMMUNICATIONS SECURITY LTD
Assigned to INSIDE SECURE reassignment INSIDE SECURE ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AUTHENTEC, INC.
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the invention concerns generally the field of transmitting data in the form of packets between computers in a network. Especially the invention concerns the secure transmission of data packets in a network comprising so-called virtual routers.
  • a network is an arbitrary aggregate of computer devices linked together through wire, cable, fibre and/or wireless connections for transmitting data in the form of packets.
  • the computer devices in a network may be classified to hosts and routers.
  • a host is a computer device in a network arranged to process packets destined to itself, whereas a router is arranged to process packets both to itself and packets destined to other computer devices of the network.
  • Routers may further be sub-classified; some sub-classes are for example IP routers (Internet Protocol) and access routers.
  • IP routers Internet Protocol
  • the present invention concerns generally the operation of routers, but it has implications also to the operation of other computer devices in a network.
  • a simple router 100 illustrated in FIG. 1 a, has a number of input lines 101 , a number of output lines 102 (which may physically be the same as the input lines) and a routing processor 103 capable of taking the packets coming on the input lines and forwarding them to the correct output lines in accordance with some explicit or implicit information about the destination of the packets.
  • the router has previously stored routing tables that dictate the correct handling of packets. Explicit information above means that each packet contains information about how it should be processed, and implicit information means that from a certain context the router knows how to handle the packet. The router may have obtained the necessary implicit knowledge from some previous packets, or each packet may have a context identifier revealing the correct context.
  • a virtual router 110 , 111 or 112 is a logical concept instead of a physical one.
  • a single physical computing device 113 in a network may house a number of virtual routers that use the same hardware, i.e. the same physical input lines 114 and output lines 115 (which may again physically be the same as the input lines) and the same processor 116 .
  • the virtual routers are separate entities, and a suitable multiple access scheme is applied to share the common physical resources between them. It is even possible to construct a virtual network where the connections between hosts go through virtual routers. Multiple virtual networks may rely on the same cabling and the same physical routers without having any knowledge of each other. This is a popular way of implementing virtual private networks or VPNs, each of which can serve for example as the backbone network connecting the branch offices of a large company together.
  • two mutually communicating physical routers supporting virtual routers may also be connected by an arbitrarily complex network capable of transmitting data between its nodes.
  • Such a network may contain intermediate routers that may or may not be aware of the multiple virtual networks going through them.
  • There may be numerous physical (possibly routed) paths between any two nodes in the network.
  • the paths may include wireline, cable, fibre and/or wireless segments.
  • a typical data packet 200 comprises a header 201 , a payload or data portion 202 and possibly a checksum 203 (CRC; Cyclic Redundancy Check).
  • the header 201 is arranged into fields that contain, among other information, a source address (not separately shown) identifying the sender of the packet and a destination address (not separately shown) identifying the intended recipient of the packet.
  • the packet can only traverse the logical network in which the addresses are valid, i.e. where the network addressing scheme enables the correct recognition of the sender and the intended recipient. It is possible to temporarily transmit the packet over a different logical network, but the packet must be suitably encapsulated and relabeled.
  • tunneling The process of encapsulating data packets for transmission over a different logical network is called tunneling.
  • tunneling involves adding a new IP header in front of the original packet, setting the protocol field in the new header appropriately, and sending the packet to the desired destination (endpoint of the tunnel).
  • Tunneling may also be implemented by modifying the original packet header fields or replacing them with a different header, as long as a sufficient amount of information about the original packet is saved in the process so that it will be possible to reconstruct the packet at the end of the tunnel into a form sufficiently similar to the original packet entering the tunnel.
  • the exact amount of information that needs to be passed with the packet depends on the network protocols, and information may be passed either explicitly (as part of the tunnelled packet) or implicitly (by the context, as determined e.g. by previously transmitted packets or a context identifier in the tunneled packet).
  • a packet is typically wrapped in an outer IP header.
  • the outer source IP address is set to the IP address of the sending node
  • the outer destination IP address is set to the IP address of the endpoint of the tunnel
  • the outer protocol identifier is set to identify the tunneling method.
  • the next router is a virtual router
  • this simple scheme is not necessarily applicable, because virtual routers typically do not have an IP address of their own. It is not practical to assign a separate IP address to each virtual router, because the number or virtual routers is expected to become very large (there may be hundreds of virtual routers in a single physical computing device) and the number of available IP addresses is limited. Extending the available IP address space by making the IP addresses longer is also not reasonable because it would require a protocol update in millions of computing stations around the world.
  • Multi-protocol label switching MPLS (as discussed in the Internet Engineering Task Force IETF working groups) can be used to carry labels that identify the virtual network that the packets belong to.
  • the L 2 TP protocol (also discussed in IETF working groups) can be used to tunnel PPP (point-to-point protocol) streams over networks, and can also be used to carry labeling information.
  • IPSEC Internet Engineering Task Force
  • IPSEC performs authentication and encryption on packet level by generating a new IP header, adding an Authentication Header (AH) or Encapsulating Security Payload (ESP) header in front of the packet.
  • the original packet is cryptographically authenticated and optionally encrypted.
  • the method used to authenticate and possibly encrypt a packet is identified by a security parameter index (SPI) value stored in the AH and ESP headers.
  • SPI security parameter index
  • the SPI is a 32-bit integer. Its value is usually pseudo-random, but negotiated and known to the two endpoints of the tunnel.
  • the AH header is illustrated in FIG. 2 b, where the column numbers correspond to bits.
  • the fields of the known AH header are as follows: Next Header 211 , Length 212 , Reserved 213 , Security Parameter Index 214 and Authentication Data 215 .
  • the length of the last field 215 is a variable number of 32-bit words.
  • the Encapsulating Security Payload may appear anywhere in an IP packet after the IP header and before the final transport-layer protocol.
  • ESP consists of an unencrypted header followed by encrypted data.
  • the encrypted data includes both the protected ESP header fields and the protected user data, which is either an entire IP datagram or an upper-layer protocol frame (e.g., TCP or UDP).
  • FIG. 2 c A high-level diagram of an exemplary secure IP datagram is illustrated in FIG. 2 c, where the fields are IP Header 221 , optional other IP headers 222 , ESP header 223 and encrypted data 224 .
  • FIG. 2 c A high-level diagram of an exemplary secure IP datagram is illustrated in FIG. 2 c, where the fields are IP Header 221 , optional other IP headers 222 , ESP header 223 and encrypted data 224 .
  • 2 c also illustrates the two parts of the ESP header, which are the 32-bit Security Association Identifier (SPI) 223 a and the Opaque Transform Data field 223 b, whose length is variable. No virtual router identifier is carried as part of the IPSEC protocol.
  • SPI Security Association Identifier
  • Opaque Transform Data field 223 b whose length is variable. No virtual router identifier is carried as part of the IPSEC protocol.
  • the objects of the invention are achieved by connecting a destination virtual router identity to the security association governing the handling of packets, so that a separate security association is used to send packets to each virtual router at the physical computing device identified by a certain network address.
  • the invention also applies to a method for transmitting data packets in a transmitting computer device, as well as to a method for receiving data packets in a receiving computer device.
  • the transmitting method comprises the characteristic features a), b) and c) given above
  • the receiving method comprises the characteristic features a), b), d) and e) given above.
  • the invention applies to a networked computer device for securely processing transmittable data packets. As features characteristic to the invention it comprises
  • [0024] means for establishing a security association for the secure transmission of data packets between the computer device and some other networked computer device
  • [0025] means for identifying a certain virtual router to be used in association with an established security association
  • [0026] means for associating a piece of information identifying said certain virtual router with said established security association.
  • the invention relies on the concept of security association, which is a reserved term in the context of one specific protocol, but which can easily be generalised to cover all arrangements having similar features regardless of the actual protocol that is used.
  • the specific protocol referred to above is the IKE or Internet Key Exchange protocol, which was previously known as the ISAKMP/Oakley, where the acronym ISAKMP comes from Internet Security Association Key Management Protocol. It defines a method for authenticating the communicating parties to each other, deriving a shared secret known only to the communicating parties, negotiating authentication and encryption methods to be used for the communication, and agreeing on a security parameter index (SPI) value and a set of selectors to be used for the communication.
  • SPI security parameter index
  • the IKE protocol will be published in the form of an RFC standard, but at the filing date of the present patent application it is already available to the public at the internet address ftp://ftp.nordu.net/internet-drafts/draft-ietf-ipsec-isakmp-oakley 08.txt which is hereby incorporated by reference.
  • the result of a negotiation between the communicating parties is one or more security associations or SAs.
  • a security association specifies a set of selectors that indicate which packets the SA should be applied to, the type of the transformation applied to protect the packets (e.g. AH or ESP), the SPI, the encryption and/or authentication methods to apply, and the tunneling method and tunnel destination.
  • the invention adds at least one new selector to a security association: the virtual network identifier.
  • the added selector(s) may be represented explicitly (e.g.
  • the added selector(s) do(es) not form part of the actual data packet, but represent(s) information associated with the packet within a computing system.
  • FIG. 1A depicts a known router
  • FIG. 1B illustrates the known concept of virtual routers
  • FIGS. 2 a to 2 c illustrate some known aspects of data packets
  • FIG. 3 illustrates the setup of a security association
  • FIG. 4 is a schematic drawing of two communicating computer devices
  • FIG. 5 illustrates the principle of an advantageous embodiment of the invention
  • FIGS. 6 and 7 illustrate some architectures applicable in the context of the invention.
  • FIGS. 1 a to 2 c were discussed previously in the description of prior art, so in the following we will concentrate on FIGS. 3 to 7 .
  • FIG. 3 illustrates a part of a network comprising a transmitting device 301 , a receiving device 302 and a two-way connection 303 for transmitting data packets between the two.
  • the invention does not limit the type of the devices 301 and 302 ; they may basically be hosts, routers, firewalls or other computer devices connected to the network, and they may be both of the same type or they may be of different types.
  • the invention concerns specifically the tunneling of packets in a network containing virtual routers, we must assume that at least one of the devices 301 and 302 is a virtual router. For the sake of example we will assume in the following that they are both virtual routers.
  • the invention does not require that the two-way connection 303 is a simple cable connection. It may be even a complex network comprising a large number of intermediate routers and a variety of wireline, cable, fibre or wireless connection segments.
  • the negotiation will additionally result in a set of selectors to be used for the communication.
  • the selectors typically specify which packets between the two communicating nodes should go into the tunnel.
  • the IPSEC protocol specifies the following set of selectors: destination IP address, source IP address, protocol, source port number, destination port number, and user name. These selectors are also seen in memory blocks 304 and 305 .
  • At least one additional selector is agreed upon during the negotiation between the devices 301 and 302 .
  • a first advantageous embodiment of the invention is based on identifying each virtual network by a Virtual Network Identifier or VNI.
  • VNI Virtual Network Identifier
  • Each physical computer device that comprises virtual routers will associate the VNI with one of its virtual routers. To identify a particular virtual router one would then need to know the network address(es) of the physical computer device and the virtual network identifier. In this first embodiment of the invention it suffices to add into the list of agreed selectors a VNI selector 306 .
  • each physical computer device that comprises virtual routers will individually assign an unambiguous identifier to each of its virtual routers.
  • “individually” means that a first physical computer device may assign a identifier XX to one of its virtual routers and a second computer device may assign a different identifier YY to one of its virtual routers even if the virtual routers XX and YY take part in the same virtual network.
  • identification scheme identifying a particular virtual router is equal to knowing, in addition to the network address(es) of the physical computer device, the virtual router identifier or VRI given internally within said physical computer device. Because both virtual routers 301 and 302 may have a different VRI, in this second embodiment of the invention it is most advantageous to add into the list of agreed selectors a source VRI selector 307 and a destination VRI selector 308 .
  • VNI or VRI is a property of every packet transmitted through a physical router implementing virtual routers, the invention does not require it to be a part of the actual data packet like e.g. destination addresses. It may be a piece of information conceptually associated with the packet within a computing system but not stored as part of the packet, approximately in a same way as user names.
  • the result of the negotiation between the devices 301 and 302 is a security association (or a well-defined group of security associations). Because the VNI or VRI are selectors resembling the other selectors agreed upon during the setup of the security association, they may be represented explicitly (e.g. as an integer identifying the virtual network) or implicitly (e.g. by the queues and memory addresses in which the packet is stored and the routing tables by which it is processed).
  • the security association is set up through an automatic negotiation between the communicating devices.
  • the invention requires the definition of at least one new selector within the protocol governing the automatic negotiation.
  • the value for the new selector(s) will then be supplied during the negotiation just as for any other selectors, although their supplying will potentially require a straightforward extension of the existing standards; however, the technical implementation of such an extension is well within the capabilities of a person skilled in the art.
  • FIG. 4 is a slightly more detailed view of a transmitting device 401 , a receiving device 402 and two-way communication connection 403 between them. Both the transmitting device 401 and the receiving device 402 have an automatic key manager block 404 and an IPSEC block 405 that communicate with a security policy database 406 . We may keep the previously made assumption that the automatic key manager blocks 404 apply the IKE protocol for setting up the security association. To this end the automatic key manager block of the transmitting device 401 lists the value(s) of the new selector(s) according to the invention (the VNI or the VRIs) as a part of its phase 2 (Quick Mode) initiator ID payload 407 .
  • the VNI or the VRIs the value(s) of the new selector(s) according to the invention
  • the automatic key manager block of the receiving device 402 looks for a previously stored policy for that particular value or those particular values of the new selector(s), and uses the policy it finds or some newly constructed policy for further IPSEC processing. In its response, the key manager block of the receiving device 402 lists the same value(s) of the new selector(s) as a part of its responder ID payload 408 .
  • a router supporting virtual routers may have the option of rejecting any negotiations that do not specify a virtual router.
  • the above explained procedure of using the initiator and responder ID payloads as carriers for the value(s) of the new selector(s) according to the invention is to be seen as an example only; the person skilled in the art is capable of presenting also other methods for exchanging the mentioned values between the communicating parties.
  • both the transmitting device and the receiving device enter the information describing the security association into their security policy database.
  • the stored information is then used for the processing of individual packets.
  • the IPSEC block of the transmitting device may apply the following rule: For an outgoing packet to be processed by a security association, it must be coming from the virtual router within the transmitting device identified by the negotiated VNI.
  • One advantageous way of selecting a security association for the processing of a packet has been described in a co pending U.S. patent application of the same applicant with the title “Method and Arrangement for Implementing IPSEC Policy Management using Filter Code”.
  • Other possible ways include the use of hash tables or lists of policy rules.
  • a receiving device 402 receives a packet protected using IPSEC
  • the receiving device selects the appropriate security association using the destination address, protocol (AH/ESP), and the SPI value indicated in the packet.
  • IPSEC processing is then applied to the packet as specified by the security association.
  • the packet leaves IPSEC processing, a check is made to see whether the security association specifies a VNI. If it does, the packet is internally (explicitly or implicitly) labelled as destined to the virtual router identified by that identifier within the receiving device, and is only sent to that virtual router.
  • the selectors associated with a packet identify the packet as belonging to a certain virtual network, whereby the transmitting device knows to process the packet according to the correct security association.
  • the values contained within the header(s) of the packet tell to the receiving device, which security association it belongs to, and the security association further specifies the correct virtual network.
  • This invention is easily extended to encompass any security protocol that supports the concept of security associations, identified by selectors (such as network source or destination addresses) at the sending end and packet contents at the receiving end. Even though the invention was described in the context of the IPSEC protocol, it can be applied to other protocols such as Simple Key Manager for Internet Protocol SKIP, and a number of older protocols.
  • IPSEC tunnels are not limited to the AH/ESP tunnel mode.
  • the IPSEC AH/ESP transport mode can be used for this purpose as well, as it associates packets with a security association. Use of transport mode typically only makes sense between hosts.
  • FIGS. 6 and 7 There are several possible architectures for implementing the present invention, in particular with respect to the selection of the SPI values. Some of these architectures are illustrated in FIGS. 6 and 7. Firstly, according to FIG. 6, it is possible to have in each physical computer device 601 only a single module 602 performing IPSEC processing, and to have e.g. all virtual routers 603 a, 603 b and 603 c in a physical router share the same IPSEC module. In an alternative architecture according to FIG.
  • the virtual network identifier could be stored in the first bytes of the payload (before the actual tunneled packet), in the padding bytes of an AH or ESP transformation, in the initialization vector of an ESP transformation, as part of the payload of a custom transformation, or in an IP option (in either an inner or an outer IP header).
  • a special transformation e.g., a variation of the standard AH/ESP transforms
  • the virtual network identifier could be stored in the first bytes of the payload (before the actual tunneled packet), in the padding bytes of an AH or ESP transformation, in the initialization vector of an ESP transformation, as part of the payload of a custom transformation, or in an IP option (in either an inner or an outer IP header).
  • IP option in either an inner or an outer IP header

Abstract

Data packets are communicated between a transmitting virtual router in a transmitting computer device and a receiving virtual router in a receiving computer device. A security association is established for the secure transmission of data packets between the transmitting computer device and the receiving computer device. The transmitting virtual router and the receiving virtual router are identified within said security association. In the transmitting computer device, the security association for processing a data packet coming from the transmitting virtual router is selected on the basis of the identification of the transmitting virtual router within the security association. In the receiving computer device, the security association for processing a data packet coming from the transmitting computer device is selected on the basis of values contained within the data packet. In the receiving computer device, the data packet processed within the security association is directed to the receiving virtual router on the basis of the identification of the receiving virtual router within the security association.

Description

    TECHNICAL FIELD
  • The invention concerns generally the field of transmitting data in the form of packets between computers in a network. Especially the invention concerns the secure transmission of data packets in a network comprising so-called virtual routers. [0001]
    • BACKGROUND OF THE INVENTION
  • A network is an arbitrary aggregate of computer devices linked together through wire, cable, fibre and/or wireless connections for transmitting data in the form of packets. The computer devices in a network may be classified to hosts and routers. A host is a computer device in a network arranged to process packets destined to itself, whereas a router is arranged to process packets both to itself and packets destined to other computer devices of the network. Routers may further be sub-classified; some sub-classes are for example IP routers (Internet Protocol) and access routers. The present invention concerns generally the operation of routers, but it has implications also to the operation of other computer devices in a network. [0002]
  • A [0003] simple router 100, illustrated in FIG. 1a, has a number of input lines 101, a number of output lines 102 (which may physically be the same as the input lines) and a routing processor 103 capable of taking the packets coming on the input lines and forwarding them to the correct output lines in accordance with some explicit or implicit information about the destination of the packets. In the usual case the router has previously stored routing tables that dictate the correct handling of packets. Explicit information above means that each packet contains information about how it should be processed, and implicit information means that from a certain context the router knows how to handle the packet. The router may have obtained the necessary implicit knowledge from some previous packets, or each packet may have a context identifier revealing the correct context.
  • Recently, the concept of virtual routers has been introduced, as in FIG. 1[0004] b. A virtual router 110, 111 or 112 is a logical concept instead of a physical one. A single physical computing device 113 in a network may house a number of virtual routers that use the same hardware, i.e. the same physical input lines 114 and output lines 115 (which may again physically be the same as the input lines) and the same processor 116. Conceptually the virtual routers are separate entities, and a suitable multiple access scheme is applied to share the common physical resources between them. It is even possible to construct a virtual network where the connections between hosts go through virtual routers. Multiple virtual networks may rely on the same cabling and the same physical routers without having any knowledge of each other. This is a popular way of implementing virtual private networks or VPNs, each of which can serve for example as the backbone network connecting the branch offices of a large company together.
  • Instead of a simple cable, two mutually communicating physical routers supporting virtual routers may also be connected by an arbitrarily complex network capable of transmitting data between its nodes. Such a network may contain intermediate routers that may or may not be aware of the multiple virtual networks going through them. There may be numerous physical (possibly routed) paths between any two nodes in the network. The paths may include wireline, cable, fibre and/or wireless segments. [0005]
  • Virtual networks raise a problem in packet labeling, because in the known labeling schemes it is difficult to identify the virtual network to which the packet belongs. In FIG. 2[0006] a, a typical data packet 200 comprises a header 201, a payload or data portion 202 and possibly a checksum 203 (CRC; Cyclic Redundancy Check). The header 201 is arranged into fields that contain, among other information, a source address (not separately shown) identifying the sender of the packet and a destination address (not separately shown) identifying the intended recipient of the packet. As such, the packet can only traverse the logical network in which the addresses are valid, i.e. where the network addressing scheme enables the correct recognition of the sender and the intended recipient. It is possible to temporarily transmit the packet over a different logical network, but the packet must be suitably encapsulated and relabeled.
  • The process of encapsulating data packets for transmission over a different logical network is called tunneling. Typically, in the case of the IP protocol, tunneling involves adding a new IP header in front of the original packet, setting the protocol field in the new header appropriately, and sending the packet to the desired destination (endpoint of the tunnel). Tunneling may also be implemented by modifying the original packet header fields or replacing them with a different header, as long as a sufficient amount of information about the original packet is saved in the process so that it will be possible to reconstruct the packet at the end of the tunnel into a form sufficiently similar to the original packet entering the tunnel. The exact amount of information that needs to be passed with the packet depends on the network protocols, and information may be passed either explicitly (as part of the tunnelled packet) or implicitly (by the context, as determined e.g. by previously transmitted packets or a context identifier in the tunneled packet). [0007]
  • In the case of tunneling IP traffic between routers over a single network cable or an arbitrarily complex network, a packet is typically wrapped in an outer IP header. The outer source IP address is set to the IP address of the sending node, the outer destination IP address is set to the IP address of the endpoint of the tunnel, and the outer protocol identifier is set to identify the tunneling method. However, if the next router is a virtual router, this simple scheme is not necessarily applicable, because virtual routers typically do not have an IP address of their own. It is not practical to assign a separate IP address to each virtual router, because the number or virtual routers is expected to become very large (there may be hundreds of virtual routers in a single physical computing device) and the number of available IP addresses is limited. Extending the available IP address space by making the IP addresses longer is also not reasonable because it would require a protocol update in millions of computing stations around the world. [0008]
  • Multi-protocol label switching MPLS (as discussed in the Internet Engineering Task Force IETF working groups) can be used to carry labels that identify the virtual network that the packets belong to. Alternatively, the L[0009] 2TP protocol (also discussed in IETF working groups) can be used to tunnel PPP (point-to-point protocol) streams over networks, and can also be used to carry labeling information.
  • Problems with virtual routers arise also in the context of security mechanisms introduced to enhance the security of data traffic in public networks. The IETF (Internet Engineering Task Force) has defined a set of rules for adding security to the IP protocol and collected them under the designation IPSEC or IP security protocol. IPSEC provides cryptographic authentication and confidentiality of traffic between two communicating network nodes. It can be used in both end-to-end mode, directly between the communicating nodes or hosts, or in tunnel mode between firewalls or routers. Asymmetric connections, where one end is a host and the other end is a firewall or router are also possible. The most important RFC standards published by the IETF and relating to IPSEC are RFC-1825 “Security Architecture for the Internet Protocol”, RFC-1826 “IP Authentication Header” and RFC-1827 IP Encapsulating Security Payload (ESP)”, all by R. Atkinson, NRL, August 1995, all of which are hereby incorporated by reference. RFC stands for Request For Comments, which is an IETF form of standards and recommendations. A complete overview of IPSEC is available to the public at the time of filing of, this patent application at the internet address www.tcm.hut.fi/Tutkimus/IPSEC/ipsec.html. [0010]
  • IPSEC performs authentication and encryption on packet level by generating a new IP header, adding an Authentication Header (AH) or Encapsulating Security Payload (ESP) header in front of the packet. The original packet is cryptographically authenticated and optionally encrypted. The method used to authenticate and possibly encrypt a packet is identified by a security parameter index (SPI) value stored in the AH and ESP headers. The SPI is a 32-bit integer. Its value is usually pseudo-random, but negotiated and known to the two endpoints of the tunnel. The AH header is illustrated in FIG. 2[0011] b, where the column numbers correspond to bits. The fields of the known AH header are as follows: Next Header 211, Length 212, Reserved 213, Security Parameter Index 214 and Authentication Data 215. The length of the last field 215 is a variable number of 32-bit words.
  • The Encapsulating Security Payload (ESP) may appear anywhere in an IP packet after the IP header and before the final transport-layer protocol. ESP consists of an unencrypted header followed by encrypted data. The encrypted data includes both the protected ESP header fields and the protected user data, which is either an entire IP datagram or an upper-layer protocol frame (e.g., TCP or UDP). A high-level diagram of an exemplary secure IP datagram is illustrated in FIG. 2[0012] c, where the fields are IP Header 221, optional other IP headers 222, ESP header 223 and encrypted data 224. FIG. 2c also illustrates the two parts of the ESP header, which are the 32-bit Security Association Identifier (SPI) 223 a and the Opaque Transform Data field 223 b, whose length is variable. No virtual router identifier is carried as part of the IPSEC protocol.
    • SUMMARY OF THE INVENTION
  • It is an object of the present invention to present a method and an arrangement for enabling the identification of virtual networks and/or virtual routers in the course of tunneling data packets through a network. It is a further object of the invention that it is applicable in the course of secure tunneling of data between virtual routers irrespective of the actual method of implementing the packet authentication and/or encryption. [0013]
  • The objects of the invention are achieved by connecting a destination virtual router identity to the security association governing the handling of packets, so that a separate security association is used to send packets to each virtual router at the physical computing device identified by a certain network address. [0014]
  • It is characteristic to the method according to the invention that it comprises the steps of [0015]
  • a) establishing a security association for the secure transmission of data packets between the transmitting computer device and the receiving computer device, [0016]
  • b) identifying the transmitting virtual router and the receiving virtual router within said security association, [0017]
  • c) in the transmitting computer device, using the identification of the transmitting virtual router within the security association in the selection of the security association for processing a data packet coming from the transmitting virtual router, [0018]
  • d) in the receiving computer device, selecting the security association for processing a data packet coming from the transmitting computer device on the basis of values contained within the data packet, and [0019]
  • e) in the receiving computer device, directing the data packet processed within the security association to the receiving virtual router on the basis of the identification of the receiving virtual router within the security association. [0020]
  • The invention also applies to a method for transmitting data packets in a transmitting computer device, as well as to a method for receiving data packets in a receiving computer device. The transmitting method comprises the characteristic features a), b) and c) given above, and the receiving method comprises the characteristic features a), b), d) and e) given above. [0021]
  • Additionally the invention applies to a networked computer device for securely processing transmittable data packets. As features characteristic to the invention it comprises [0022]
  • a number of virtual routers, [0023]
  • means for establishing a security association for the secure transmission of data packets between the computer device and some other networked computer device, [0024]
  • means for identifying a certain virtual router to be used in association with an established security association, and [0025]
  • means for associating a piece of information identifying said certain virtual router with said established security association. [0026]
  • The invention relies on the concept of security association, which is a reserved term in the context of one specific protocol, but which can easily be generalised to cover all arrangements having similar features regardless of the actual protocol that is used. The specific protocol referred to above is the IKE or Internet Key Exchange protocol, which was previously known as the ISAKMP/Oakley, where the acronym ISAKMP comes from Internet Security Association Key Management Protocol. It defines a method for authenticating the communicating parties to each other, deriving a shared secret known only to the communicating parties, negotiating authentication and encryption methods to be used for the communication, and agreeing on a security parameter index (SPI) value and a set of selectors to be used for the communication. The IKE protocol will be published in the form of an RFC standard, but at the filing date of the present patent application it is already available to the public at the internet address ftp://ftp.nordu.net/internet-drafts/draft-ietf-ipsec-isakmp-oakley 08.txt which is hereby incorporated by reference. [0027]
  • According to the IKE protocol, the result of a negotiation between the communicating parties is one or more security associations or SAs. A security association specifies a set of selectors that indicate which packets the SA should be applied to, the type of the transformation applied to protect the packets (e.g. AH or ESP), the SPI, the encryption and/or authentication methods to apply, and the tunneling method and tunnel destination. The invention adds at least one new selector to a security association: the virtual network identifier. In some embodiments of the invention there are at least two new selectors to be added to the security association: the source virtual router identifier and the destination virtual router identifier. Additional selectors may be added according to need. The added selector(s) may be represented explicitly (e.g. as integers identifying the virtual network) or implicitly (e.g. by the queues and memory addresses in which the packet is stored and the routing tables by which it is processed). Advantageously the added selector(s) do(es) not form part of the actual data packet, but represent(s) information associated with the packet within a computing system.[0028]
  • The novel features which are considered as characteristic of the invention are set forth in particular in the appended Claims. The invention itself, however, both as to its construction and its method of operation, together with additional objects and advantages thereof, will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings. [0029]
  • FIG. 1A depicts a known router, [0030]
  • FIG. 1B illustrates the known concept of virtual routers, [0031]
  • FIGS. 2[0032] a to 2 c illustrate some known aspects of data packets,
  • FIG. 3 illustrates the setup of a security association, [0033]
  • FIG. 4 is a schematic drawing of two communicating computer devices, [0034]
  • FIG. 5 illustrates the principle of an advantageous embodiment of the invention, and [0035]
  • FIGS. 6 and 7 illustrate some architectures applicable in the context of the invention.[0036]
  • FIGS. 1[0037] a to 2 c were discussed previously in the description of prior art, so in the following we will concentrate on FIGS. 3 to 7.
  • FIG. 3 illustrates a part of a network comprising a [0038] transmitting device 301, a receiving device 302 and a two-way connection 303 for transmitting data packets between the two.
  • The invention does not limit the type of the [0039] devices 301 and 302; they may basically be hosts, routers, firewalls or other computer devices connected to the network, and they may be both of the same type or they may be of different types. However, because the invention concerns specifically the tunneling of packets in a network containing virtual routers, we must assume that at least one of the devices 301 and 302 is a virtual router. For the sake of example we will assume in the following that they are both virtual routers. The invention does not require that the two-way connection 303 is a simple cable connection. It may be even a complex network comprising a large number of intermediate routers and a variety of wireline, cable, fibre or wireless connection segments.
  • For the invention to be applicable we will assume that some arbitrary protocol exists for setting up a context for securely tunneling data packets from the transmitting [0040] device 301 through the connection 303 to the receiving device 302. As an example we will consider the IKE and IPSEC protocols mentioned previously. Setting up said context will then correspond to having a negotiation between the two devices, during which negotiation they will first authenticate themselves to each other and thereafter agree upon a shared secret, an authentication and/or encryption method to be used for the communication and on a security parameter index (SPI) value. The results of the negotiation will be locally stored at both devices, which is illustrated in FIG. 3 with the schematic memory blocks 304 and 305. There are also architectures where the results of the negotiation will be stored on a separate processor or in a separate central management station.
  • The negotiation will additionally result in a set of selectors to be used for the communication. The selectors typically specify which packets between the two communicating nodes should go into the tunnel. The IPSEC protocol specifies the following set of selectors: destination IP address, source IP address, protocol, source port number, destination port number, and user name. These selectors are also seen in memory blocks [0041] 304 and 305.
  • According to the present invention, at least one additional selector is agreed upon during the negotiation between the [0042] devices 301 and 302. A first advantageous embodiment of the invention is based on identifying each virtual network by a Virtual Network Identifier or VNI. Each physical computer device that comprises virtual routers will associate the VNI with one of its virtual routers. To identify a particular virtual router one would then need to know the network address(es) of the physical computer device and the virtual network identifier. In this first embodiment of the invention it suffices to add into the list of agreed selectors a VNI selector 306.
  • According to a second advantageous embodiment of the invention each physical computer device that comprises virtual routers will individually assign an unambiguous identifier to each of its virtual routers. Here “individually” means that a first physical computer device may assign a identifier XX to one of its virtual routers and a second computer device may assign a different identifier YY to one of its virtual routers even if the virtual routers XX and YY take part in the same virtual network. Naturally the identifiers for the virtual routers are also allowed to be the same (XX=YY). In this alternative identification scheme identifying a particular virtual router is equal to knowing, in addition to the network address(es) of the physical computer device, the virtual router identifier or VRI given internally within said physical computer device. Because both [0043] virtual routers 301 and 302 may have a different VRI, in this second embodiment of the invention it is most advantageous to add into the list of agreed selectors a source VRI selector 307 and a destination VRI selector 308.
  • The first and second embodiments of the invention described above both have their tradeoffs for configuration, management, and implementation. The choice between them may be affected by engineering decisions, standards, and other factors. [0044]
  • It is important to notice that even if the VNI or VRI is a property of every packet transmitted through a physical router implementing virtual routers, the invention does not require it to be a part of the actual data packet like e.g. destination addresses. It may be a piece of information conceptually associated with the packet within a computing system but not stored as part of the packet, approximately in a same way as user names. [0045]
  • Using the language of the IKE and IPSEC protocols, the result of the negotiation between the [0046] devices 301 and 302 is a security association (or a well-defined group of security associations). Because the VNI or VRI are selectors resembling the other selectors agreed upon during the setup of the security association, they may be represented explicitly (e.g. as an integer identifying the virtual network) or implicitly (e.g. by the queues and memory addresses in which the packet is stored and the routing tables by which it is processed).
  • In the previous discussion we have assumed that the security association is set up through an automatic negotiation between the communicating devices. In such case the invention requires the definition of at least one new selector within the protocol governing the automatic negotiation. The value for the new selector(s) will then be supplied during the negotiation just as for any other selectors, although their supplying will potentially require a straightforward extension of the existing standards; however, the technical implementation of such an extension is well within the capabilities of a person skilled in the art. It is also possible to configure the security association manually through operator action. Both the automatic negotiation and the manual configuration are processes known as such to the person skilled in the art. Regardless of the configuration method a typical value for the new selector(s) is an integer encoded as octets. [0047]
  • FIG. 4 is a slightly more detailed view of a [0048] transmitting device 401, a receiving device 402 and two-way communication connection 403 between them. Both the transmitting device 401 and the receiving device 402 have an automatic key manager block 404 and an IPSEC block 405 that communicate with a security policy database 406. We may keep the previously made assumption that the automatic key manager blocks 404 apply the IKE protocol for setting up the security association. To this end the automatic key manager block of the transmitting device 401 lists the value(s) of the new selector(s) according to the invention (the VNI or the VRIs) as a part of its phase 2 (Quick Mode) initiator ID payload 407. The automatic key manager block of the receiving device 402 then looks for a previously stored policy for that particular value or those particular values of the new selector(s), and uses the policy it finds or some newly constructed policy for further IPSEC processing. In its response, the key manager block of the receiving device 402 lists the same value(s) of the new selector(s) as a part of its responder ID payload 408.
  • A router supporting virtual routers may have the option of rejecting any negotiations that do not specify a virtual router. The above explained procedure of using the initiator and responder ID payloads as carriers for the value(s) of the new selector(s) according to the invention is to be seen as an example only; the person skilled in the art is capable of presenting also other methods for exchanging the mentioned values between the communicating parties. [0049]
  • Once the negotiation between the automatic [0050] key managers 404 is complete and the new security association is set up, both the transmitting device and the receiving device enter the information describing the security association into their security policy database. The stored information is then used for the processing of individual packets. For example if the first embodiment of the invention is used with a single VNI identifying all the virtual routers taking part in a certain virtual network, the IPSEC block of the transmitting device may apply the following rule: For an outgoing packet to be processed by a security association, it must be coming from the virtual router within the transmitting device identified by the negotiated VNI. One advantageous way of selecting a security association for the processing of a packet has been described in a co pending U.S. patent application of the same applicant with the title “Method and Arrangement for Implementing IPSEC Policy Management using Filter Code”. Other possible ways include the use of hash tables or lists of policy rules.
  • Generally when a receiving [0051] device 402 receives a packet protected using IPSEC, the receiving device selects the appropriate security association using the destination address, protocol (AH/ESP), and the SPI value indicated in the packet. IPSEC processing is then applied to the packet as specified by the security association. According to the invention when the packet leaves IPSEC processing, a check is made to see whether the security association specifies a VNI. If it does, the packet is internally (explicitly or implicitly) labelled as destined to the virtual router identified by that identifier within the receiving device, and is only sent to that virtual router.
  • To summarize the operation of the system of FIG. 4, we may look at the conceptual diagram of FIG. 5. Within the transmitting device the selectors associated with a packet identify the packet as belonging to a certain virtual network, whereby the transmitting device knows to process the packet according to the correct security association. In the receiving device the values contained within the header(s) of the packet tell to the receiving device, which security association it belongs to, and the security association further specifies the correct virtual network. [0052]
  • This invention is easily extended to encompass any security protocol that supports the concept of security associations, identified by selectors (such as network source or destination addresses) at the sending end and packet contents at the receiving end. Even though the invention was described in the context of the IPSEC protocol, it can be applied to other protocols such as Simple Key Manager for Internet Protocol SKIP, and a number of older protocols. [0053]
  • Even though the invention was described in the context of tunnels between two physical routers (endpoints), it can equally well be applied in the case of tunnels between more than two physical routers (e.g., when secure multicasts or broadcast transmissions are used for communication between the routers). [0054]
  • It should be noted that the concept of virtual networks is not limited to operation between traditional routers but can extend to hosts as well. For the purposes of this invention, IPSEC tunnels are not limited to the AH/ESP tunnel mode. The IPSEC AH/ESP transport mode can be used for this purpose as well, as it associates packets with a security association. Use of transport mode typically only makes sense between hosts. [0055]
  • There are several possible architectures for implementing the present invention, in particular with respect to the selection of the SPI values. Some of these architectures are illustrated in FIGS. 6 and 7. Firstly, according to FIG. 6, it is possible to have in each [0056] physical computer device 601 only a single module 602 performing IPSEC processing, and to have e.g. all virtual routers 603 a, 603 b and 603 c in a physical router share the same IPSEC module. In an alternative architecture according to FIG. 7 each virtual router 703 a, 703 b and 703 c can have its own IPSEC processor 702 a, 702 b and 702 c, but the different processors have a shared data structure 704 that they use for allocating SPI values (either by actually having a single store for SAs or SPIs, or by checking the SPIs used by every other virtual router before allocating an SPI value). In a third alternative architecture the range of possible SPI values may be partitioned so that the virtual router identifier is encoded into the SPI value (either in a fixed number of bits, or using any suitable arithmetic coding method to combine a virtual network identifier and a SPI index). Variations and intermediate forms of these architectures can also be used. When there are multiple IPSEC processing modules, and the SPI can be used to identify the IPSEC processing module, no explicit virtual network identifiers are needed. Likewise, when a set of security associations is associated with each virtual router, the virtual router identifier does not need to be used explicitly as a selector, even though it is implicitly involved. These cases are also within the scope of the present invention.
  • Besides negotiating the virtual network identifier as a selector, it is also possible to negotiate a special transformation (e.g., a variation of the standard AH/ESP transforms) that includes the virtual network identifier as part of the transformed packet. For example, the virtual network identifier could be stored in the first bytes of the payload (before the actual tunneled packet), in the padding bytes of an AH or ESP transformation, in the initialization vector of an ESP transformation, as part of the payload of a custom transformation, or in an IP option (in either an inner or an outer IP header). Many other possible locations for storing it are also possible. It is advantageous to have all potential information referring to a virtual network in the packet encrypted so that only the correct receiving device is able to decrypt it. It is also possible to explicitly store the virtual network identifier only when it changes, and use the same identifier for following packets until a new identifier is encountered, or use any other methods for passing parts of tunneled packets implicitly by context as outlined earlier. The identifier is still considered to be passed in each packet if such implicit methods are used. If the information identifying the transmitting virtual router and the receiving virtual router is somehow transmitted within a data packet, its presence in the data packet may be detectable by analysing the contents of the data packet only; an alternative is to indicate within the security association the presence of such information in the data packet. [0057]

Claims (13)

What is claimed is:
1. A method for communicating data packets between a transmitting virtual router in a transmitting computer device and a receiving virtual router in a receiving computer device, the method comprising the steps of
a) establishing a security association for the secure transmission of data packets between the transmitting computer device and the receiving computer device,
b) identifying the transmitting virtual router and the receiving virtual router within said security association,
c) in the transmitting computer device, using the identification of the transmitting virtual router within the security association in the selection of the security association for processing a data packet coming from the transmitting virtual router,
d) in the receiving computer device, selecting the security association for processing a data packet coming from the transmitting computer device on the basis of values contained within the data packet, and
e) in the receiving computer device, directing the data packet processed within the security association to the receiving virtual router on the basis of the identification of the receiving virtual router within the security association.
2. A method according to claim 1, further comprising between steps c) and d) the step of performing a certain transform on the data packet to be transmitted to achieve tunneling between the transmitting computer device and the receiving computer device.
3. A method according to claim 2, wherein said transform is the IPSEC AH transform.
4. A method according to claim 2, wherein said transform is the IPSEC ESP transform.
5. A method according to claim 1, wherein step b) corresponds to using a virtual network identifier to indirectly identify the transmitting virtual router and the receiving virtual router within said security association.
6. A method according to claim 1, wherein step b) corresponds to using a transmitting virtual router identifier and a receiving virtual router identifier to directly identify the transmitting virtual router and the receiving virtual router within said security association.
7. A method according to claim 1, wherein steps a) and b) correspond to using the IKE protocol for establishing a security association between the transmitting computer device and the receiving computer device.
8. A method according to claim 7, wherein the use of the IKE protocol comprises the step of exchanging the information identifying the transmitting virtual router and the receiving virtual router between the transmitting computer device and the receiving computer device as part of the IKE phase 2 identity payloads.
9. A method according to claim 1, additionally comprising the steps of
inserting the information identifying the transmitting virtual router and the receiving virtual router into a data packet to be transmitted from the transmitting computer device to the receiving computer device, and
indicating within the security association the presence of said information in the data packet.
10. A method according to claim 1, additionally comprising the step of inserting the information identifying the transmitting virtual router and the receiving virtual router into a data packet to be transmitted from the transmitting computer device to the receiving computer device so that its presence in the data packet is detectable in the receiving computer by analysing the contents of the data packet.
11. A method for transmitting data packets from a transmitting virtual router in a transmitting computer device to a receiving computer device, the method comprising the steps of
a) establishing a security association for the secure transmission of data packets between the transmitting computer device and the receiving computer device,
b) identifying the transmitting virtual router within said security association, and
c) in the transmitting computer device, using the identification of the transmitting virtual router within the security association in the selection of the security association for processing a data packet coming from the transmitting virtual router.
12. A method for receiving data packets from a transmitting computer device in a receiving virtual router in a receiving computer device, the method comprising the steps of
a) establishing a security association for the secure transmission of data packets between the transmitting computer device and the receiving computer device,
b) identifying the transmitting virtual router and the receiving virtual router within said security association,
c) in the receiving computer device, selecting the security association for processing a data packet coming from the transmitting computer device on the basis of values contained within the data packet, and
d) in the receiving computer device, directing the data packet processed within the security association to the receiving virtual router on the basis of the identification of the receiving virtual router within the security association.
13. A networked computer device for securely processing transmittable data packets, comprising
a number of virtual routers,
means for establishing a security association for the secure transmission of data packets between the computer device and some other networked computer device,
means for identifying a certain virtual router to be used in association with an established security association, and
means for associating a piece of information identifying said certain virtual router with said established security association.
US09/151,744 1998-09-11 1998-09-11 Method and arrangement for secure tunneling of data between virtual routers Expired - Lifetime US6438612B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US09/151,744 US6438612B1 (en) 1998-09-11 1998-09-11 Method and arrangement for secure tunneling of data between virtual routers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US09/151,744 US6438612B1 (en) 1998-09-11 1998-09-11 Method and arrangement for secure tunneling of data between virtual routers

Publications (2)

Publication Number Publication Date
US20020062344A1 true US20020062344A1 (en) 2002-05-23
US6438612B1 US6438612B1 (en) 2002-08-20

Family

ID=22540083

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/151,744 Expired - Lifetime US6438612B1 (en) 1998-09-11 1998-09-11 Method and arrangement for secure tunneling of data between virtual routers

Country Status (1)

Country Link
US (1) US6438612B1 (en)

Cited By (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020104020A1 (en) * 2001-01-30 2002-08-01 Strahm Frederick William Processing internet protocol security traffic
US20020152373A1 (en) * 2000-09-13 2002-10-17 Chih-Tang Sun Tunnel interface for securing traffic over a network
US20020163920A1 (en) * 2001-05-01 2002-11-07 Walker Philip M. Method and apparatus for providing network security
US20030169747A1 (en) * 2002-03-01 2003-09-11 Yang Wang Resource allocation in virtual routers
US20030223361A1 (en) * 2002-06-04 2003-12-04 Zahid Hussain System and method for hierarchical metering in a virtual router based network switch
US20030223418A1 (en) * 2002-06-04 2003-12-04 Sachin Desai Network packet steering
WO2003103237A1 (en) * 2002-06-04 2003-12-11 Cosine Communications, Inc. System and method for controlling routing in a virtual router system
US6687128B2 (en) * 2000-09-21 2004-02-03 Tsunemi Tokuhara Associative type computers
US20040078621A1 (en) * 2002-08-29 2004-04-22 Cosine Communications, Inc. System and method for virtual router failover in a network routing system
US20040095934A1 (en) * 2002-11-18 2004-05-20 Cosine Communications, Inc. System and method for hardware accelerated packet multicast in a virtual routing system
US7003118B1 (en) * 2000-11-27 2006-02-21 3Com Corporation High performance IPSEC hardware accelerator for packet classification
US20060104308A1 (en) * 2004-11-12 2006-05-18 Microsoft Corporation Method and apparatus for secure internet protocol (IPSEC) offloading with integrated host protocol stack management
US20060265519A1 (en) * 2001-06-28 2006-11-23 Fortinet, Inc. Identifying nodes in a ring network
US7177311B1 (en) 2002-06-04 2007-02-13 Fortinet, Inc. System and method for routing traffic through a virtual router-based network switch
US7181612B1 (en) * 2002-01-17 2007-02-20 Cisco Technology, Inc. Facilitating IPsec communications through devices that employ address translation in a telecommunications network
US20070115979A1 (en) * 2004-11-18 2007-05-24 Fortinet, Inc. Method and apparatus for managing subscriber profiles
US20070214502A1 (en) * 2006-03-08 2007-09-13 Mcalister Donald K Technique for processing data packets in a communication network
US20070245140A1 (en) * 2002-01-09 2007-10-18 Nec Corporation Communication system and network control apparatus with encryption processing function, and communication control method
US7376125B1 (en) 2002-06-04 2008-05-20 Fortinet, Inc. Service processing switch
US20080117917A1 (en) * 2004-11-18 2008-05-22 Fortinet, Inc. Method and apparatus for managing subscriber profiles
US20080127297A1 (en) * 2006-11-29 2008-05-29 Red Hat, Inc. Method and system for sharing labeled information between different security realms
US7389358B1 (en) * 2000-09-13 2008-06-17 Fortinet, Inc. Distributed virtual system to support managed, network-based services
US7444398B1 (en) 2000-09-13 2008-10-28 Fortinet, Inc. System and method for delivering security services
US7539744B2 (en) 2000-09-13 2009-05-26 Fortinet, Inc. Network operating system for maintaining redundant master control blade management information
US7562213B1 (en) * 2003-09-16 2009-07-14 Cisco Technology, Inc. Approaches for applying service policies to encrypted packets
US7908481B1 (en) * 1999-12-17 2011-03-15 Avaya Inc. Routing data to one or more entities in a network
US20110122872A1 (en) * 2004-09-24 2011-05-26 Fortinet, Inc. Scalable ip-services enabled multicast forwarding with efficient resource utilization
US20110176552A1 (en) * 2000-09-13 2011-07-21 Fortinet, Inc. Managing interworking communications protocols
US20110219086A1 (en) * 2006-03-01 2011-09-08 Fortinet, Inc. Electronic message and data tracking system
US20110235649A1 (en) * 2003-08-27 2011-09-29 Fortinet, Inc. Heterogeneous media packet bridging
US8260918B2 (en) 2000-09-13 2012-09-04 Fortinet, Inc. Packet routing system and method
US8320279B2 (en) 2000-09-13 2012-11-27 Fortinet, Inc. Managing and provisioning virtual routers
US20130014234A1 (en) * 1998-12-24 2013-01-10 William Salkewicz Domain isolation through virtual network machines
US20130311766A1 (en) * 2000-06-26 2013-11-21 Victor B. Lortz Establishing network security using internet protocol security policies
US20150295899A1 (en) * 2014-04-09 2015-10-15 Cisco Technology, Inc. Group Member Recovery Techniques
CN105099849A (en) * 2015-06-23 2015-11-25 杭州华三通信技术有限公司 Method and equipment for establishing IPsec tunnel
US9571394B1 (en) * 2014-01-10 2017-02-14 Juniper Networks, Inc. Tunneled packet aggregation for virtual networks
US10848524B2 (en) * 2018-02-23 2020-11-24 Cisco Technology, Inc. On-demand security association management
US10992709B2 (en) * 2015-07-28 2021-04-27 Citrix Systems, Inc. Efficient use of IPsec tunnels in multi-path environment
US20210329456A1 (en) * 2018-09-04 2021-10-21 Telefonaktiebolaget Lm Ericsson (Publ) Signalling storm mitigation in a secured radio access network

Families Citing this family (199)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7032242B1 (en) * 1998-03-05 2006-04-18 3Com Corporation Method and system for distributed network address translation with network security features
KR100484209B1 (en) * 1998-09-24 2005-09-30 삼성전자주식회사 Digital Content Encryption / Decryption Device and Method
US6356544B1 (en) * 1999-05-03 2002-03-12 Fujitsu Network Communications, Inc. SONET add/drop multiplexer with packet over SONET capability
US6957346B1 (en) * 1999-06-15 2005-10-18 Ssh Communications Security Ltd. Method and arrangement for providing security through network address translations using tunneling and compensations
US7170856B1 (en) 1999-08-19 2007-01-30 Nokia Inc. Jitter buffer for a circuit emulation service over an internet protocol network
US6870837B2 (en) * 1999-08-19 2005-03-22 Nokia Corporation Circuit emulation service over an internet protocol network
US6594704B1 (en) * 1999-12-15 2003-07-15 Quarry Technologies Method of managing and using multiple virtual private networks in a router with a single routing table
US6614809B1 (en) * 2000-02-29 2003-09-02 3Com Corporation Method and apparatus for tunneling across multiple network of different types
US7082140B1 (en) * 2000-03-17 2006-07-25 Nortel Networks Ltd System, device and method for supporting a label switched path across a non-MPLS compliant segment
US7181542B2 (en) * 2000-04-12 2007-02-20 Corente, Inc. Method and system for managing and configuring virtual private networks
US7085854B2 (en) * 2000-04-12 2006-08-01 Corente, Inc. Methods and systems for enabling communication between a processor and a network operations center
US7028334B2 (en) * 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for using names in virtual networks
US7028333B2 (en) * 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for partners in virtual networks
JP2001298449A (en) * 2000-04-12 2001-10-26 Matsushita Electric Ind Co Ltd Security communication method, communication system and its unit
US6996628B2 (en) * 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
US7181766B2 (en) * 2000-04-12 2007-02-20 Corente, Inc. Methods and system for providing network services using at least one processor interfacing a base network
US6631416B2 (en) * 2000-04-12 2003-10-07 Openreach Inc. Methods and systems for enabling a tunnel between two computers on a network
US7047424B2 (en) * 2000-04-12 2006-05-16 Corente, Inc. Methods and systems for hairpins in virtual networks
US6934280B1 (en) 2000-05-04 2005-08-23 Nokia, Inc. Multiple services emulation over a single network service
JP3730480B2 (en) * 2000-05-23 2006-01-05 株式会社東芝 Gateway device
GB2365717B (en) * 2000-05-24 2004-01-21 Ericsson Telefon Ab L M IPsec processing
US6829709B1 (en) * 2000-05-30 2004-12-07 International Business Machines Corporation Validation of network communication tunnels
US7028332B1 (en) * 2000-06-13 2006-04-11 Intel Corporation Method and apparatus for preventing packet retransmissions during IPsec security association establishment
US20040064737A1 (en) * 2000-06-19 2004-04-01 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
US7328349B2 (en) * 2001-12-14 2008-02-05 Bbn Technologies Corp. Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses
US20040073617A1 (en) 2000-06-19 2004-04-15 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US7263106B2 (en) * 2000-09-13 2007-08-28 Fortinet, Inc. System and protocol for frame relay service over the internet
US6823453B1 (en) * 2000-10-06 2004-11-23 Hewlett-Packard Development Company, L.P. Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks
US6874030B1 (en) * 2000-11-13 2005-03-29 Cisco Technology, Inc. PPP domain name and L2TP tunnel selection configuration override
US7325058B1 (en) 2000-11-13 2008-01-29 Cisco Technology, Inc. Method and system for controlling subscriber access in a network capable of establishing connections with a plurality of domain sites
JP4225681B2 (en) * 2000-12-06 2009-02-18 富士通株式会社 Virtual closed network construction method and apparatus, and relay apparatus
US7200105B1 (en) 2001-01-12 2007-04-03 Bbn Technologies Corp. Systems and methods for point of ingress traceback of a network attack
US6966003B1 (en) * 2001-01-12 2005-11-15 3Com Corporation System and method for switching security associations
US7107350B2 (en) * 2001-01-17 2006-09-12 International Business Machines Corporation Methods, systems and computer program products for security processing outbound communications in a cluster computing environment
US7426566B2 (en) * 2001-01-17 2008-09-16 International Business Machines Corporation Methods, systems and computer program products for security processing inbound communications in a cluster computing environment
US7739497B1 (en) * 2001-03-21 2010-06-15 Verizon Corporate Services Group Inc. Method and apparatus for anonymous IP datagram exchange using dynamic network address translation
US6978308B2 (en) * 2001-03-21 2005-12-20 International Business Machines Corporation System and method for nesting virtual private networking connections with coincident endpoints
US7533409B2 (en) * 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
US20020184487A1 (en) * 2001-03-23 2002-12-05 Badamo Michael J. System and method for distributing security processing functions for network applications
US8121296B2 (en) 2001-03-28 2012-02-21 Qualcomm Incorporated Method and apparatus for security in a data processing system
US8077679B2 (en) 2001-03-28 2011-12-13 Qualcomm Incorporated Method and apparatus for providing protocol options in a wireless communication system
US7664119B2 (en) * 2001-03-30 2010-02-16 Intel Corporation Method and apparatus to perform network routing
US7516485B1 (en) * 2001-05-29 2009-04-07 Nortel Networks Limited Method and apparatus for securely transmitting encrypted data through a firewall and for monitoring user traffic
US8200818B2 (en) * 2001-07-06 2012-06-12 Check Point Software Technologies, Inc. System providing internet access management with router-based policy enforcement
US7590684B2 (en) * 2001-07-06 2009-09-15 Check Point Software Technologies, Inc. System providing methodology for access control with cooperative enforcement
US20040107360A1 (en) * 2002-12-02 2004-06-03 Zone Labs, Inc. System and Methodology for Policy Enforcement
US7243225B2 (en) * 2001-07-13 2007-07-10 Certicom Corp. Data handling in IPSec enabled network stack
US7283526B2 (en) * 2001-07-19 2007-10-16 International Business Machines Corporation Method and system for providing a symmetric key for more efficient session identification
JP2003069609A (en) * 2001-08-23 2003-03-07 Fujitsu Ltd System for providing virtual private network service
US6978223B2 (en) * 2001-09-06 2005-12-20 Bbnt Solutions Llc Systems and methods for network performance measurement using packet signature collection
US7093024B2 (en) * 2001-09-27 2006-08-15 International Business Machines Corporation End node partitioning using virtualization
US7697523B2 (en) * 2001-10-03 2010-04-13 Qualcomm Incorporated Method and apparatus for data packet transport in a wireless communication system using an internet protocol
US7389537B1 (en) * 2001-10-09 2008-06-17 Juniper Networks, Inc. Rate limiting data traffic in a network
US7352868B2 (en) 2001-10-09 2008-04-01 Philip Hawkes Method and apparatus for security in a data processing system
US7649829B2 (en) * 2001-10-12 2010-01-19 Qualcomm Incorporated Method and system for reduction of decoding complexity in a communication system
US7028183B2 (en) * 2001-11-13 2006-04-11 Symantec Corporation Enabling secure communication in a clustered or distributed architecture
US20030105830A1 (en) * 2001-12-03 2003-06-05 Duc Pham Scalable network media access controller and methods
US7499410B2 (en) * 2001-12-26 2009-03-03 Cisco Technology, Inc. Fibre channel switch that enables end devices in different fabrics to communicate with one another while retaining their unique fibre channel domain—IDs
US7599360B2 (en) * 2001-12-26 2009-10-06 Cisco Technology, Inc. Methods and apparatus for encapsulating a frame for transmission in a storage area network
US7533183B1 (en) * 2001-12-28 2009-05-12 Nortel Networks Limited Central control of multiple address domains within a router
EP3401794A1 (en) 2002-01-08 2018-11-14 Seven Networks, LLC Connection architecture for a mobile network
US20030145227A1 (en) * 2002-01-28 2003-07-31 International Business Machines Corporation System and method of automatically handling internet key exchange traffic in a virtual private network
US7395354B2 (en) * 2002-02-21 2008-07-01 Corente, Inc. Methods and systems for resolving addressing conflicts based on tunnel information
KR100438431B1 (en) * 2002-02-23 2004-07-03 삼성전자주식회사 Security system for virtual private network service access in communication network and method thereof
US7107613B1 (en) * 2002-03-27 2006-09-12 Cisco Technology, Inc. Method and apparatus for reducing the number of tunnels used to implement a security policy on a network
US7406034B1 (en) 2002-04-01 2008-07-29 Cisco Technology, Inc. Methods and apparatus for fibre channel frame delivery
US7616637B1 (en) 2002-04-01 2009-11-10 Cisco Technology, Inc. Label switching in fibre channel networks
US6959297B2 (en) 2002-04-25 2005-10-25 Winnow Technology, Llc System and process for searching within a data stream using a pointer matrix and a trap matrix
US7937471B2 (en) * 2002-06-03 2011-05-03 Inpro Network Facility, Llc Creating a public identity for an entity on a network
US7116665B2 (en) * 2002-06-04 2006-10-03 Fortinet, Inc. Methods and systems for a distributed provider edge
US7206288B2 (en) * 2002-06-12 2007-04-17 Cisco Technology, Inc. Methods and apparatus for characterizing a route in fibre channel fabric
US7447901B1 (en) 2002-06-25 2008-11-04 Cisco Technology, Inc. Method and apparatus for establishing a dynamic multipoint encrypted virtual private network
US7366894B1 (en) * 2002-06-25 2008-04-29 Cisco Technology, Inc. Method and apparatus for dynamically securing voice and other delay-sensitive network traffic
US6931530B2 (en) 2002-07-22 2005-08-16 Vormetric, Inc. Secure network file access controller implementing access control and auditing
US7334124B2 (en) * 2002-07-22 2008-02-19 Vormetric, Inc. Logical access block processing protocol for transparent secure file storage
US6678828B1 (en) * 2002-07-22 2004-01-13 Vormetric, Inc. Secure network file access control system
US7234063B1 (en) * 2002-08-27 2007-06-19 Cisco Technology, Inc. Method and apparatus for generating pairwise cryptographic transforms based on group keys
US8234358B2 (en) 2002-08-30 2012-07-31 Inpro Network Facility, Llc Communicating with an entity inside a private network using an existing connection to initiate communication
US20040059829A1 (en) * 2002-09-24 2004-03-25 Chu Thomas P. Methods and devices for converting routing data from one protocol to another in a virtual private network
US7143288B2 (en) * 2002-10-16 2006-11-28 Vormetric, Inc. Secure file system server architecture and methods
US6850943B2 (en) * 2002-10-18 2005-02-01 Check Point Software Technologies, Inc. Security system and methodology for providing indirect access control
US7062566B2 (en) * 2002-10-24 2006-06-13 3Com Corporation System and method for using virtual local area network tags with a virtual private network
US7433326B2 (en) 2002-11-27 2008-10-07 Cisco Technology, Inc. Methods and devices for exchanging peer parameters between network devices
US9015467B2 (en) * 2002-12-05 2015-04-21 Broadcom Corporation Tagging mechanism for data path security processing
US7587587B2 (en) * 2002-12-05 2009-09-08 Broadcom Corporation Data path security processing
US7921285B2 (en) * 2002-12-27 2011-04-05 Verizon Corporate Services Group Inc. Means of mitigating denial of service attacks on IP fragmentation in high performance IPsec gateways
US7290134B2 (en) * 2002-12-31 2007-10-30 Broadcom Corporation Encapsulation mechanism for packet processing
US7599655B2 (en) 2003-01-02 2009-10-06 Qualcomm Incorporated Method and apparatus for broadcast services in a communication system
US7917468B2 (en) 2005-08-01 2011-03-29 Seven Networks, Inc. Linking of personal information management data
US8468126B2 (en) 2005-08-01 2013-06-18 Seven Networks, Inc. Publishing data in an information community
US7853563B2 (en) 2005-08-01 2010-12-14 Seven Networks, Inc. Universal data aggregation
US7949785B2 (en) 2003-03-31 2011-05-24 Inpro Network Facility, Llc Secure virtual community network system
US20040249973A1 (en) * 2003-03-31 2004-12-09 Alkhatib Hasan S. Group agent
US20040249974A1 (en) * 2003-03-31 2004-12-09 Alkhatib Hasan S. Secure virtual address realm
US8136155B2 (en) * 2003-04-01 2012-03-13 Check Point Software Technologies, Inc. Security system with methodology for interprocess communication control
US7788726B2 (en) * 2003-07-02 2010-08-31 Check Point Software Technologies, Inc. System and methodology providing information lockbox
US8098818B2 (en) 2003-07-07 2012-01-17 Qualcomm Incorporated Secure registration for a multicast-broadcast-multimedia system (MBMS)
US8718279B2 (en) 2003-07-08 2014-05-06 Qualcomm Incorporated Apparatus and method for a secure broadcast system
US7149897B2 (en) * 2003-07-25 2006-12-12 The United States Of America As Represented By The Secretary Of The Navy Systems and methods for providing increased computer security
US8724803B2 (en) 2003-09-02 2014-05-13 Qualcomm Incorporated Method and apparatus for providing authenticated challenges for broadcast-multicast communications in a communication system
US8146148B2 (en) * 2003-11-19 2012-03-27 Cisco Technology, Inc. Tunneled security groups
US7581093B2 (en) * 2003-12-22 2009-08-25 Nortel Networks Limited Hitless manual cryptographic key refresh in secure packet networks
WO2005082040A2 (en) * 2004-02-26 2005-09-09 Encore Networks, Inc. Method and system for providing end-to-end security solutions and protocol acceleration over networks using selective layer encryption
US7360083B1 (en) * 2004-02-26 2008-04-15 Krishna Ragireddy Method and system for providing end-to-end security solutions to aid protocol acceleration over networks using selective layer encryption
US8136149B2 (en) * 2004-06-07 2012-03-13 Check Point Software Technologies, Inc. Security system with methodology providing verified secured individual end points
US20050283604A1 (en) * 2004-06-21 2005-12-22 Ipolicy Networks, Inc., A Delaware Corporation Security association configuration in virtual private networks
US7953814B1 (en) 2005-02-28 2011-05-31 Mcafee, Inc. Stopping and remediating outbound messaging abuse
JP4415773B2 (en) * 2004-06-30 2010-02-17 株式会社日立製作所 Multicast packet relay device for virtual router
US8010082B2 (en) 2004-10-20 2011-08-30 Seven Networks, Inc. Flexible billing architecture
WO2006045102A2 (en) * 2004-10-20 2006-04-27 Seven Networks, Inc. Method and apparatus for intercepting events in a communication system
US7593324B2 (en) * 2004-10-25 2009-09-22 Cisco Technology, Inc. Graceful port shutdown protocol for fibre channel interfaces
US7916628B2 (en) 2004-11-01 2011-03-29 Cisco Technology, Inc. Trunking for fabric ports in fibre channel switches and attached devices
US7706781B2 (en) 2004-11-22 2010-04-27 Seven Networks International Oy Data security in a mobile e-mail service
FI117152B (en) 2004-12-03 2006-06-30 Seven Networks Internat Oy E-mail service provisioning method for mobile terminal, involves using domain part and further parameters to generate new parameter set in list of setting parameter sets, if provisioning of e-mail service is successful
US9160755B2 (en) 2004-12-21 2015-10-13 Mcafee, Inc. Trusted communication network
US9015472B1 (en) 2005-03-10 2015-04-21 Mcafee, Inc. Marking electronic messages to indicate human origination
US7627896B2 (en) * 2004-12-24 2009-12-01 Check Point Software Technologies, Inc. Security system providing methodology for cooperative enforcement of security policies during SSL sessions
US7649844B2 (en) 2004-12-29 2010-01-19 Cisco Technology, Inc. In-order fibre channel packet delivery
US8059551B2 (en) 2005-02-15 2011-11-15 Raytheon Bbn Technologies Corp. Method for source-spoofed IP packet traceback
US7877703B1 (en) 2005-03-14 2011-01-25 Seven Networks, Inc. Intelligent rendering of information in a limited display environment
US7761702B2 (en) * 2005-04-15 2010-07-20 Cisco Technology, Inc. Method and apparatus for distributing group data in a tunneled encrypted virtual private network
US7796742B1 (en) 2005-04-21 2010-09-14 Seven Networks, Inc. Systems and methods for simplified provisioning
US8438633B1 (en) 2005-04-21 2013-05-07 Seven Networks, Inc. Flexible real-time inbox access
WO2006136660A1 (en) 2005-06-21 2006-12-28 Seven Networks International Oy Maintaining an ip connection in a mobile network
US8547874B2 (en) * 2005-06-30 2013-10-01 Cisco Technology, Inc. Method and system for learning network information
US8069166B2 (en) 2005-08-01 2011-11-29 Seven Networks, Inc. Managing user-to-user contact with inferred presence information
US20070060104A1 (en) * 2005-08-03 2007-03-15 Sbc Knowledge Ventures Lp Method and apparatus for improving communication security
US7486673B2 (en) 2005-08-29 2009-02-03 Connect Technologies Corporation Method and system for reassembling packets prior to searching
WO2007035725A2 (en) * 2005-09-19 2007-03-29 Schweitzer Engineering Laboratories, Inc. Method and apparatus for routing data streams among intelligent electronic devices
US7933964B2 (en) 2006-02-16 2011-04-26 Microsoft Corporation Shell sessions
US7933986B2 (en) * 2006-02-16 2011-04-26 Microsoft Corporation Transferring command-lines as a message
US7769395B2 (en) 2006-06-20 2010-08-03 Seven Networks, Inc. Location-based operations and messaging
US7818790B1 (en) * 2006-03-17 2010-10-19 Erf Wireless, Inc. Router for use in a monitored network
US9253151B2 (en) * 2006-05-25 2016-02-02 International Business Machines Corporation Managing authentication requests when accessing networks
US7755872B2 (en) * 2006-09-14 2010-07-13 Schweitzer Engineering Laboratories, Inc. System, method and device to preserve protection communication active during a bypass operation
US7644187B2 (en) * 2007-02-02 2010-01-05 Harris Corporation Internet protocol based encryptor/decryptor two stage bypass device
US7747634B2 (en) * 2007-03-08 2010-06-29 Microsoft Corporation Rich data tunneling
EP1972994A1 (en) * 2007-03-20 2008-09-24 Seiko Epson Corporation Projector
US8693494B2 (en) 2007-06-01 2014-04-08 Seven Networks, Inc. Polling
US8805425B2 (en) 2007-06-01 2014-08-12 Seven Networks, Inc. Integrated messaging
US8798056B2 (en) * 2007-09-24 2014-08-05 Intel Corporation Method and system for virtual port communications
US8364181B2 (en) 2007-12-10 2013-01-29 Seven Networks, Inc. Electronic-mail filtering for mobile devices
US9002828B2 (en) 2007-12-13 2015-04-07 Seven Networks, Inc. Predictive content delivery
US8793305B2 (en) 2007-12-13 2014-07-29 Seven Networks, Inc. Content delivery to a mobile device from a content service
US8107921B2 (en) 2008-01-11 2012-01-31 Seven Networks, Inc. Mobile virtual network operator
US8862657B2 (en) 2008-01-25 2014-10-14 Seven Networks, Inc. Policy based content service
US20090193338A1 (en) 2008-01-28 2009-07-30 Trevor Fiatal Reducing network and battery consumption during content delivery and playback
US8787947B2 (en) 2008-06-18 2014-07-22 Seven Networks, Inc. Application discovery on mobile devices
US8078158B2 (en) 2008-06-26 2011-12-13 Seven Networks, Inc. Provisioning applications for a mobile device
US10354229B2 (en) 2008-08-04 2019-07-16 Mcafee, Llc Method and system for centralized contact management
US8909759B2 (en) 2008-10-10 2014-12-09 Seven Networks, Inc. Bandwidth measurement
US8792490B2 (en) * 2009-03-16 2014-07-29 Cisco Technology, Inc. Logically partitioned networking devices
US8528002B2 (en) * 2009-05-11 2013-09-03 International Business Machines Corporation Providing access control for a destination in a messaging system
WO2011126889A2 (en) 2010-03-30 2011-10-13 Seven Networks, Inc. 3d mobile user interface with configurable workspace management
US9043433B2 (en) 2010-07-26 2015-05-26 Seven Networks, Inc. Mobile network traffic coordination across multiple applications
US9077630B2 (en) 2010-07-26 2015-07-07 Seven Networks, Inc. Distributed implementation of dynamic wireless traffic policy
US8838783B2 (en) 2010-07-26 2014-09-16 Seven Networks, Inc. Distributed caching for resource and mobile network traffic management
GB2500333B (en) 2010-07-26 2014-10-08 Seven Networks Inc Mobile application traffic optimization
US8326985B2 (en) 2010-11-01 2012-12-04 Seven Networks, Inc. Distributed management of keep-alive message signaling for mobile network resource conservation and optimization
US9330196B2 (en) 2010-11-01 2016-05-03 Seven Networks, Llc Wireless traffic management system cache optimization using http headers
US8166164B1 (en) 2010-11-01 2012-04-24 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
US9060032B2 (en) 2010-11-01 2015-06-16 Seven Networks, Inc. Selective data compression by a distributed traffic management system to reduce mobile data traffic and signaling traffic
US8484314B2 (en) 2010-11-01 2013-07-09 Seven Networks, Inc. Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
GB2499534B (en) 2010-11-01 2018-09-19 Seven Networks Llc Caching adapted for mobile application behavior and network conditions
US8843153B2 (en) 2010-11-01 2014-09-23 Seven Networks, Inc. Mobile traffic categorization and policy for network use optimization while preserving user experience
WO2012060995A2 (en) 2010-11-01 2012-05-10 Michael Luna Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
WO2012061437A1 (en) 2010-11-01 2012-05-10 Michael Luna Cache defeat detection and caching of content addressed by identifiers intended to defeat cache
GB2495463B (en) 2010-11-22 2013-10-09 Seven Networks Inc Aligning data transfer to optimize connections established for transmission over a wireless network
GB2500327B (en) 2010-11-22 2019-11-06 Seven Networks Llc Optimization of resource polling intervals to satisfy mobile device requests
GB2501416B (en) 2011-01-07 2018-03-21 Seven Networks Llc System and method for reduction of mobile network traffic used for domain name system (DNS) queries
WO2012145533A2 (en) 2011-04-19 2012-10-26 Seven Networks, Inc. Shared resource and virtual resource management in a networked environment
WO2012149434A2 (en) 2011-04-27 2012-11-01 Seven Networks, Inc. Detecting and preserving state for satisfying application requests in a distributed proxy and cache system
GB2504037B (en) 2011-04-27 2014-12-24 Seven Networks Inc Mobile device which offloads requests made by a mobile application to a remote entity for conservation of mobile device and network resources
US9154327B1 (en) 2011-05-27 2015-10-06 Cisco Technology, Inc. User-configured on-demand virtual layer-2 network for infrastructure-as-a-service (IaaS) on a hybrid cloud network
WO2013015994A1 (en) 2011-07-27 2013-01-31 Seven Networks, Inc. Monitoring mobile application activities for malicious traffic on a mobile device
US8868753B2 (en) 2011-12-06 2014-10-21 Seven Networks, Inc. System of redundantly clustered machines to provide failover mechanisms for mobile traffic management and network resource conservation
US8934414B2 (en) 2011-12-06 2015-01-13 Seven Networks, Inc. Cellular or WiFi mobile traffic optimization based on public or private network destination
US9009250B2 (en) 2011-12-07 2015-04-14 Seven Networks, Inc. Flexible and dynamic integration schemas of a traffic management system with various network operators for network traffic alleviation
WO2013086447A1 (en) 2011-12-07 2013-06-13 Seven Networks, Inc. Radio-awareness of mobile device for sending server-side control signals using a wireless network optimized transport protocol
US9832095B2 (en) 2011-12-14 2017-11-28 Seven Networks, Llc Operation modes for mobile traffic optimization and concurrent management of optimized and non-optimized traffic
EP2792188B1 (en) 2011-12-14 2019-03-20 Seven Networks, LLC Mobile network reporting and usage analytics system and method using aggregation of data in a distributed traffic optimization system
US8861354B2 (en) 2011-12-14 2014-10-14 Seven Networks, Inc. Hierarchies and categories for management and deployment of policies for distributed wireless traffic optimization
GB2499306B (en) 2012-01-05 2014-10-22 Seven Networks Inc Managing user interaction with an application on a mobile device
WO2013116856A1 (en) 2012-02-02 2013-08-08 Seven Networks, Inc. Dynamic categorization of applications for network access in a mobile network
US8660129B1 (en) 2012-02-02 2014-02-25 Cisco Technology, Inc. Fully distributed routing over a user-configured on-demand virtual network for infrastructure-as-a-service (IaaS) on hybrid cloud networks
US9326189B2 (en) 2012-02-03 2016-04-26 Seven Networks, Llc User as an end point for profiling and optimizing the delivery of content and data in a wireless network
US8812695B2 (en) 2012-04-09 2014-08-19 Seven Networks, Inc. Method and system for management of a virtual network connection without heartbeat messages
US10263899B2 (en) 2012-04-10 2019-04-16 Seven Networks, Llc Enhanced customer service for mobile carriers using real-time and historical mobile application and traffic or optimization data associated with mobile devices in a mobile network
WO2014011216A1 (en) 2012-07-13 2014-01-16 Seven Networks, Inc. Dynamic bandwidth adjustment for browsing or streaming activity in a wireless network based on prediction of user behavior when interacting with mobile applications
US9161258B2 (en) 2012-10-24 2015-10-13 Seven Networks, Llc Optimized and selective management of policy deployment to mobile clients in a congested network to prevent further aggravation of network congestion
US9307493B2 (en) 2012-12-20 2016-04-05 Seven Networks, Llc Systems and methods for application management of mobile device radio state promotion and demotion
US9241314B2 (en) 2013-01-23 2016-01-19 Seven Networks, Llc Mobile device with application or context aware fast dormancy
US8874761B2 (en) 2013-01-25 2014-10-28 Seven Networks, Inc. Signaling optimization in a wireless network for traffic utilizing proprietary and non-proprietary protocols
US8750123B1 (en) 2013-03-11 2014-06-10 Seven Networks, Inc. Mobile device equipped with mobile network congestion recognition to make intelligent decisions regarding connecting to an operator network
US9065765B2 (en) 2013-07-22 2015-06-23 Seven Networks, Inc. Proxy server associated with a mobile carrier for enhancing mobile traffic management in a mobile network
US9262622B2 (en) 2013-12-06 2016-02-16 Bank Of America Corporation Secure connection between a data repository and an intelligence application
GB2526598B (en) * 2014-05-29 2018-11-28 Imagination Tech Ltd Allocation of primitives to primitive blocks
US10951591B1 (en) * 2016-12-20 2021-03-16 Wells Fargo Bank, N.A. SSL encryption with reduced bandwidth
US11368493B2 (en) * 2020-10-02 2022-06-21 Johnson Controls Tyco IP Holdings LLP System for and method of detecting communication security in building automation and control networks

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5550816A (en) * 1994-12-29 1996-08-27 Storage Technology Corporation Method and apparatus for virtual switching
US6041166A (en) * 1995-07-14 2000-03-21 3Com Corp. Virtual network architecture for connectionless LAN backbone
JPH09130421A (en) * 1995-11-02 1997-05-16 Furukawa Electric Co Ltd:The Virtual network controlling method
US6157649A (en) * 1995-11-17 2000-12-05 3 Com Corporation Method and system for coordination and control of data streams that terminate at different termination units using virtual tunneling
WO1997026734A1 (en) * 1996-01-16 1997-07-24 Raptor Systems, Inc. Transferring encrypted packets over a public network
US5959990A (en) * 1996-03-12 1999-09-28 Bay Networks, Inc. VLAN frame format
US6085238A (en) * 1996-04-23 2000-07-04 Matsushita Electric Works, Ltd. Virtual LAN system
US5983350A (en) * 1996-09-18 1999-11-09 Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status
US5968176A (en) * 1997-05-29 1999-10-19 3Com Corporation Multilayer firewall system
US6047330A (en) * 1998-01-20 2000-04-04 Netscape Communications Corporation Virtual router discovery system
US6049878A (en) * 1998-01-20 2000-04-11 Sun Microsystems, Inc. Efficient, secure multicasting with global knowledge
US6182226B1 (en) * 1998-03-18 2001-01-30 Secure Computing Corporation System and method for controlling interactions between networks
US6202081B1 (en) * 1998-07-21 2001-03-13 3Com Corporation Method and protocol for synchronized transfer-window based firewall traversal
US6304973B1 (en) * 1998-08-06 2001-10-16 Cryptek Secure Communications, Llc Multi-level security network system
US6006259A (en) * 1998-11-20 1999-12-21 Network Alchemy, Inc. Method and apparatus for an internet protocol (IP) network clustering system

Cited By (116)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130014234A1 (en) * 1998-12-24 2013-01-10 William Salkewicz Domain isolation through virtual network machines
US8713153B2 (en) * 1998-12-24 2014-04-29 Ericsson Ab Domain isolation through virtual network machines
US9047460B2 (en) 1998-12-24 2015-06-02 Ericsson Ab Domain isolation through virtual network machines
US7908481B1 (en) * 1999-12-17 2011-03-15 Avaya Inc. Routing data to one or more entities in a network
US20130311766A1 (en) * 2000-06-26 2013-11-21 Victor B. Lortz Establishing network security using internet protocol security policies
US8955098B2 (en) * 2000-06-26 2015-02-10 Intel Corporation Establishing network security using internet protocol security policies
US9258280B1 (en) * 2000-09-13 2016-02-09 Fortinet, Inc. Tunnel interface for securing traffic over a network
US9124555B2 (en) 2000-09-13 2015-09-01 Fortinet, Inc. Tunnel interface for securing traffic over a network
US8069233B2 (en) 2000-09-13 2011-11-29 Fortinet, Inc. Switch management system and method
US9391964B2 (en) 2000-09-13 2016-07-12 Fortinet, Inc. Tunnel interface for securing traffic over a network
US7539744B2 (en) 2000-09-13 2009-05-26 Fortinet, Inc. Network operating system for maintaining redundant master control blade management information
US20090046728A1 (en) * 2000-09-13 2009-02-19 Fortinet, Inc. System and method for delivering security services
US9667604B2 (en) 2000-09-13 2017-05-30 Fortinet, Inc. Tunnel interface for securing traffic over a network
US7444398B1 (en) 2000-09-13 2008-10-28 Fortinet, Inc. System and method for delivering security services
US9160716B2 (en) 2000-09-13 2015-10-13 Fortinet, Inc. Tunnel interface for securing traffic over a network
US7389358B1 (en) * 2000-09-13 2008-06-17 Fortinet, Inc. Distributed virtual system to support managed, network-based services
US8250357B2 (en) * 2000-09-13 2012-08-21 Fortinet, Inc. Tunnel interface for securing traffic over a network
US20120324216A1 (en) * 2000-09-13 2012-12-20 Fortinet, Inc. Tunnel interface for securing traffic over a network
US8260918B2 (en) 2000-09-13 2012-09-04 Fortinet, Inc. Packet routing system and method
US8320279B2 (en) 2000-09-13 2012-11-27 Fortinet, Inc. Managing and provisioning virtual routers
US9853948B2 (en) 2000-09-13 2017-12-26 Fortinet, Inc. Tunnel interface for securing traffic over a network
US20110176552A1 (en) * 2000-09-13 2011-07-21 Fortinet, Inc. Managing interworking communications protocols
US20110032942A1 (en) * 2000-09-13 2011-02-10 Fortinet, Inc. Fast path complex flow processing
US8650390B2 (en) * 2000-09-13 2014-02-11 Fortinet, Inc. Tunnel interface for securing traffic over a network
US20020152373A1 (en) * 2000-09-13 2002-10-17 Chih-Tang Sun Tunnel interface for securing traffic over a network
US8583800B2 (en) 2000-09-13 2013-11-12 Fortinet, Inc. Packet routing system and method
US6687128B2 (en) * 2000-09-21 2004-02-03 Tsunemi Tokuhara Associative type computers
US7003118B1 (en) * 2000-11-27 2006-02-21 3Com Corporation High performance IPSEC hardware accelerator for packet classification
US20020104020A1 (en) * 2001-01-30 2002-08-01 Strahm Frederick William Processing internet protocol security traffic
US6996842B2 (en) * 2001-01-30 2006-02-07 Intel Corporation Processing internet protocol security traffic
US20020163920A1 (en) * 2001-05-01 2002-11-07 Walker Philip M. Method and apparatus for providing network security
US7061899B2 (en) * 2001-05-01 2006-06-13 Hewlett-Packard Development Company, L.P. Method and apparatus for providing network security
US9143351B2 (en) 2001-06-28 2015-09-22 Fortinet, Inc. Identifying nodes in a ring network
US20060265519A1 (en) * 2001-06-28 2006-11-23 Fortinet, Inc. Identifying nodes in a ring network
US8208409B2 (en) 2001-06-28 2012-06-26 Fortinet, Inc. Identifying nodes in a ring network
US7890663B2 (en) 2001-06-28 2011-02-15 Fortinet, Inc. Identifying nodes in a ring network
US20070058648A1 (en) * 2001-06-28 2007-03-15 Fortinet, Inc. Identifying nodes in a ring network
US9602303B2 (en) 2001-06-28 2017-03-21 Fortinet, Inc. Identifying nodes in a ring network
US9998337B2 (en) 2001-06-28 2018-06-12 Fortinet, Inc. Identifying nodes in a ring network
US7716471B2 (en) * 2002-01-09 2010-05-11 Nec Corporation Communication system and network control apparatus with encryption processing function, and communication control method
US20070245140A1 (en) * 2002-01-09 2007-10-18 Nec Corporation Communication system and network control apparatus with encryption processing function, and communication control method
US7181612B1 (en) * 2002-01-17 2007-02-20 Cisco Technology, Inc. Facilitating IPsec communications through devices that employ address translation in a telecommunications network
US20030169747A1 (en) * 2002-03-01 2003-09-11 Yang Wang Resource allocation in virtual routers
US20110016215A1 (en) * 2002-03-01 2011-01-20 Verizon Business Global Llc Resource allocation in virtual routers
US7801155B2 (en) * 2002-03-01 2010-09-21 Verizon Business Global Llc Resource allocation in virtual routers
US8427972B2 (en) 2002-03-01 2013-04-23 Verizon Business Global Llc Resource allocation in virtual routers
US8068503B2 (en) 2002-06-04 2011-11-29 Fortinet, Inc. Network packet steering via configurable association of processing resources and netmods or line interface ports
US8542595B2 (en) 2002-06-04 2013-09-24 Fortinet, Inc. Service processing switch
US20100220732A1 (en) * 2002-06-04 2010-09-02 Fortinet, Inc. Service processing switch
US20030223361A1 (en) * 2002-06-04 2003-12-04 Zahid Hussain System and method for hierarchical metering in a virtual router based network switch
US9967200B2 (en) 2002-06-04 2018-05-08 Fortinet, Inc. Service processing switch
US7668087B2 (en) 2002-06-04 2010-02-23 Fortinet, Inc. Hierarchical metering in a virtual router-based network switch
US20030223418A1 (en) * 2002-06-04 2003-12-04 Sachin Desai Network packet steering
WO2003103237A1 (en) * 2002-06-04 2003-12-11 Cosine Communications, Inc. System and method for controlling routing in a virtual router system
US9215178B2 (en) 2002-06-04 2015-12-15 Cisco Technology, Inc. Network packet steering via configurable association of packet processing resources and network interfaces
US7161904B2 (en) 2002-06-04 2007-01-09 Fortinet, Inc. System and method for hierarchical metering in a virtual router based network switch
US8064462B2 (en) 2002-06-04 2011-11-22 Fortinet, Inc. Service processing switch
US7177311B1 (en) 2002-06-04 2007-02-13 Fortinet, Inc. System and method for routing traffic through a virtual router-based network switch
US7203192B2 (en) 2002-06-04 2007-04-10 Fortinet, Inc. Network packet steering
US9019833B2 (en) 2002-06-04 2015-04-28 Fortinet, Inc. Service processing switch
US20070109968A1 (en) * 2002-06-04 2007-05-17 Fortinet, Inc. Hierarchical metering in a virtual router-based network switch
US7376125B1 (en) 2002-06-04 2008-05-20 Fortinet, Inc. Service processing switch
US20070127382A1 (en) * 2002-06-04 2007-06-07 Fortinet, Inc. Routing traffic through a virtual router-based network switch
US7340535B1 (en) * 2002-06-04 2008-03-04 Fortinet, Inc. System and method for controlling routing in a virtual router system
US8638802B2 (en) 2002-06-04 2014-01-28 Cisco Technology, Inc. Network packet steering via configurable association of packet processing resources and network interfaces
US7278055B2 (en) 2002-08-29 2007-10-02 Fortinet, Inc. System and method for virtual router failover in a network routing system
US8819486B2 (en) 2002-08-29 2014-08-26 Google Inc. Fault tolerant routing in a non-hot-standby configuration of a network routing system
US8412982B2 (en) 2002-08-29 2013-04-02 Google Inc. Fault tolerant routing in a non-hot-standby configuration of a network routing system
US7096383B2 (en) 2002-08-29 2006-08-22 Cosine Communications, Inc. System and method for virtual router failover in a network routing system
US20040078621A1 (en) * 2002-08-29 2004-04-22 Cosine Communications, Inc. System and method for virtual router failover in a network routing system
US20070162783A1 (en) * 2002-08-29 2007-07-12 Fortinet, Inc. System and method for virtual router failover in a network routing system
US20040095934A1 (en) * 2002-11-18 2004-05-20 Cosine Communications, Inc. System and method for hardware accelerated packet multicast in a virtual routing system
US10200275B2 (en) 2002-11-18 2019-02-05 Fortinet, Inc. Hardware-accelerated packet multicasting
US20110200044A1 (en) * 2002-11-18 2011-08-18 Fortinet, Inc. Hardware-accelerated packet multicasting in a virtual routing system
US7266120B2 (en) 2002-11-18 2007-09-04 Fortinet, Inc. System and method for hardware accelerated packet multicast in a virtual routing system
US8644311B2 (en) 2002-11-18 2014-02-04 Fortinet, Inc. Hardware-accelerated packet multicasting in a virtual routing system
US9014186B2 (en) 2002-11-18 2015-04-21 Fortinet, Inc. Hardware-accelerated packet multicasting
US9407449B2 (en) 2002-11-18 2016-08-02 Fortinet, Inc. Hardware-accelerated packet multicasting
US8503463B2 (en) 2003-08-27 2013-08-06 Fortinet, Inc. Heterogeneous media packet bridging
US20110235649A1 (en) * 2003-08-27 2011-09-29 Fortinet, Inc. Heterogeneous media packet bridging
US9331961B2 (en) 2003-08-27 2016-05-03 Fortinet, Inc. Heterogeneous media packet bridging
US9509638B2 (en) 2003-08-27 2016-11-29 Fortinet, Inc. Heterogeneous media packet bridging
US9185050B2 (en) 2003-08-27 2015-11-10 Fortinet, Inc. Heterogeneous media packet bridging
US9853917B2 (en) 2003-08-27 2017-12-26 Fortinet, Inc. Heterogeneous media packet bridging
US7562213B1 (en) * 2003-09-16 2009-07-14 Cisco Technology, Inc. Approaches for applying service policies to encrypted packets
US9167016B2 (en) 2004-09-24 2015-10-20 Fortinet, Inc. Scalable IP-services enabled multicast forwarding with efficient resource utilization
US9319303B2 (en) 2004-09-24 2016-04-19 Fortinet, Inc. Scalable IP-services enabled multicast forwarding with efficient resource utilization
US20110122872A1 (en) * 2004-09-24 2011-05-26 Fortinet, Inc. Scalable ip-services enabled multicast forwarding with efficient resource utilization
US9166805B1 (en) 2004-09-24 2015-10-20 Fortinet, Inc. Scalable IP-services enabled multicast forwarding with efficient resource utilization
US8369258B2 (en) 2004-09-24 2013-02-05 Fortinet, Inc. Scalable IP-services enabled multicast forwarding with efficient resource utilization
US8953513B2 (en) 2004-09-24 2015-02-10 Fortinet, Inc. Scalable IP-services enabled multicast forwarding with efficient resource utilization
US10038567B2 (en) 2004-09-24 2018-07-31 Fortinet, Inc. Scalable IP-services enabled multicast forwarding with efficient resource utilization
US7783880B2 (en) * 2004-11-12 2010-08-24 Microsoft Corporation Method and apparatus for secure internet protocol (IPSEC) offloading with integrated host protocol stack management
US20060104308A1 (en) * 2004-11-12 2006-05-18 Microsoft Corporation Method and apparatus for secure internet protocol (IPSEC) offloading with integrated host protocol stack management
US20110235548A1 (en) * 2004-11-18 2011-09-29 Fortinet, Inc. Managing hierarchically organized subscriber profiles
US20080117917A1 (en) * 2004-11-18 2008-05-22 Fortinet, Inc. Method and apparatus for managing subscriber profiles
US8107376B2 (en) 2004-11-18 2012-01-31 Fortinet, Inc. Managing hierarchically organized subscriber profiles
US20070115979A1 (en) * 2004-11-18 2007-05-24 Fortinet, Inc. Method and apparatus for managing subscriber profiles
US7808904B2 (en) 2004-11-18 2010-10-05 Fortinet, Inc. Method and apparatus for managing subscriber profiles
US20110219086A1 (en) * 2006-03-01 2011-09-08 Fortinet, Inc. Electronic message and data tracking system
WO2007103338A3 (en) * 2006-03-08 2008-05-08 Cipheroptics Inc Technique for processing data packets in a communication network
US20070214502A1 (en) * 2006-03-08 2007-09-13 Mcalister Donald K Technique for processing data packets in a communication network
WO2007103338A2 (en) * 2006-03-08 2007-09-13 Cipheroptics, Inc. Technique for processing data packets in a communication network
US8607302B2 (en) * 2006-11-29 2013-12-10 Red Hat, Inc. Method and system for sharing labeled information between different security realms
US20080127297A1 (en) * 2006-11-29 2008-05-29 Red Hat, Inc. Method and system for sharing labeled information between different security realms
US9571394B1 (en) * 2014-01-10 2017-02-14 Juniper Networks, Inc. Tunneled packet aggregation for virtual networks
US9942148B1 (en) 2014-01-10 2018-04-10 Juniper Networks, Inc. Tunneled packet aggregation for virtual networks
US9674088B1 (en) 2014-01-10 2017-06-06 Juniper Networks, Inc. Receive packet steering for virtual networks
US9832175B2 (en) 2014-04-09 2017-11-28 Cisco Technology, Inc. Group member recovery techniques
US9444796B2 (en) * 2014-04-09 2016-09-13 Cisco Technology, Inc. Group member recovery techniques
US20150295899A1 (en) * 2014-04-09 2015-10-15 Cisco Technology, Inc. Group Member Recovery Techniques
CN105099849A (en) * 2015-06-23 2015-11-25 杭州华三通信技术有限公司 Method and equipment for establishing IPsec tunnel
US10992709B2 (en) * 2015-07-28 2021-04-27 Citrix Systems, Inc. Efficient use of IPsec tunnels in multi-path environment
US10848524B2 (en) * 2018-02-23 2020-11-24 Cisco Technology, Inc. On-demand security association management
US11363073B2 (en) 2018-02-23 2022-06-14 Cisco Technology, Inc. On-demand security association management
US20210329456A1 (en) * 2018-09-04 2021-10-21 Telefonaktiebolaget Lm Ericsson (Publ) Signalling storm mitigation in a secured radio access network

Also Published As

Publication number Publication date
US6438612B1 (en) 2002-08-20

Similar Documents

Publication Publication Date Title
US6438612B1 (en) Method and arrangement for secure tunneling of data between virtual routers
US11283772B2 (en) Method and system for sending a message through a secure connection
US9967372B2 (en) Multi-hop WAN MACsec over IP
CA2315722C (en) A method for packet authentication in the presence of network address translations and protocol conversions
EP2823620B1 (en) Enhancing ipsec performance and security against eavesdropping
US7571463B1 (en) Method an apparatus for providing a scalable and secure network without point to point associations
US5416842A (en) Method and apparatus for key-management scheme for use with internet protocols at site firewalls
US8379638B2 (en) Security encapsulation of ethernet frames
US7000120B1 (en) Scheme for determining transport level information in the presence of IP security encryption
CN103188351B (en) IPSec VPN traffic method for processing business and system under IPv6 environment
US7239634B1 (en) Encryption mechanism in advanced packet switching system
JP2000315997A (en) Encryption communication method and node unit
US8687485B1 (en) Method and apparatus for providing replay protection in systems using group security associations
Mambo et al. Implementation of virtual private networks at the transport layer
JP2001007849A (en) Mpls packet processing method and mpls packet processor
CN117640235A (en) Dual encryption method based on IPsec and quantum key and encryption gateway
Napier SECURING VIRTUAL PRIVATE NETWORKS
Kim et al. New mechanisms for end-to-end security using IPSec in NAT-based private networks

Legal Events

Date Code Title Description
AS Assignment

Owner name: SSH COMMUNICATIONS SECURITY LTD., FINLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YLONEN, TATU;KIVINEN, TERO;REEL/FRAME:009664/0353

Effective date: 19980928

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: SFNT FINLAND OY, FINLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SSH COMMUNICATIONS SECURITY CORP.;REEL/FRAME:015215/0805

Effective date: 20031117

FEPP Fee payment procedure

Free format text: PAT HOLDER NO LONGER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: STOL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: DEUTSCHE BANK TRUST COMPANY AMERICAS, AS COLLATERA

Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SAFENET, INC.;REEL/FRAME:019161/0506

Effective date: 20070412

AS Assignment

Owner name: DEUTSCHE BANK TRUST COMPANY AMERICAS, AS COLLATERA

Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SAFENET, INC.;REEL/FRAME:019181/0012

Effective date: 20070412

AS Assignment

Owner name: SAFENET, INC., MARYLAND

Free format text: CHANGE OF NAME;ASSIGNOR:SFNT FINLAND OY;REEL/FRAME:020609/0987

Effective date: 20060316

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: SAFENET, INC.,MARYLAND

Free format text: PARTIAL RELEASE OF COLLATERAL;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS, AS FIRST AND SECOND LIEN COLLATERAL AGENT;REEL/FRAME:024103/0730

Effective date: 20100226

Owner name: SAFENET, INC., MARYLAND

Free format text: PARTIAL RELEASE OF COLLATERAL;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS, AS FIRST AND SECOND LIEN COLLATERAL AGENT;REEL/FRAME:024103/0730

Effective date: 20100226

AS Assignment

Owner name: AUTHENTEC, INC., FLORIDA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SAFENET, INC.;REEL/FRAME:024823/0745

Effective date: 20100226

AS Assignment

Owner name: SSH COMMUNICATIONS SECURITY CORP., FINLAND

Free format text: CHANGE OF NAME;ASSIGNOR:SSH COMMUNICATIONS SECURITY LTD;REEL/FRAME:029065/0952

Effective date: 20000507

AS Assignment

Owner name: INSIDE SECURE, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AUTHENTEC, INC.;REEL/FRAME:029748/0128

Effective date: 20121201

FPAY Fee payment

Year of fee payment: 12