Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Packet header designating cryptographically protected data
Reexamination Certificate
1998-06-19
2001-06-26
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Packet header designating cryptographically protected data
C713S162000, C713S168000, C713S152000
Reexamination Certificate
active
06253321
ABSTRACT:
FIELD OF USE
The invention relates to the field of implementing protocols that authenticate and encrypt/decrypt packetised digital information.
BACKGROUND TO THE INVENTION
The IP security protocol (IPSEC) is being standardized by the IETF (Internet Engineering Task Force) for adding security to the well known and widely used IP protocol. It provides cryptographic authentication and confidentiality of traffic between two communicating network nodes. It can be used in both end-to-end mode, i.e. directly between the communicating nodes or hosts, or in tunnel mode between firewalls or VPN (Virtual Private Network) devices.
Asymmetric connections, where one end is a host and the other end is a firewall or VPN are also possible.
IPSEC defines a set of operations for performing authentication and encryption on packet level by adding new protocol headers to each packet. IPSEC authentication of a data packet is performed by computing an authentication code over all data and most of the header of the data packet. The authentication code further depends on a secret key, known only to the communicating parties. The authentication code is then stored in the packet, appropriately wrapped in a well-defined header or trailer.
The operations to be performed on each packet are controlled by a policy that specifies which authentication and encryption methods, jointly called transforms, are to be applied between each pair of communicating hosts. The parameters specifying the cryptographic algorithms, cryptographic keys, and other data related to securely processing packets between two hosts or peers is called a security association.
A certain policy is typically expressed as a set of policy rules, each rule specifying a set of selectors (such as source IP address, destination IP address, subnet, protocol, source port number, destination port number) constraining the communication or set of communications to which the rule applies. Several rules may apply to a particular packet, and there is normally a mutual order of the rules so that a single rule can be unambiguously chosen for each incoming and outgoing packet.
The IPSEC standard and published implementations present a data structure called the policy database, which is an array or table in memory and contains rules. The rules in the policy database are consulted for each packet to be processed.
FIG. 1
is a simplified graphical illustration of a known IPSEC implementation
100
, which contains a policy database
101
and separates a secure internal network
102
from the Internet network
103
. For the sake of simplicity, packets flowing only to one direction (outgoing packets) are considered. The input packets
104
in
FIG. 1
contain data that a user in the internal network
102
wants to send to another user through the Internet and that need to be processed for authentication and encryption. In the IPSEC implementation an input packet under consideration
105
is transformed into an output packet under consideration
106
by consulting the rules in the policy database
101
. The transformed output packets
107
are then sent into the Internet, where they will be properly routed to the correct receiving user.
On the other hand, mechanisms for filtering IP packets have been available and well-known in the literature for a long time. Suitable mechanisms are presented for example in J. Mogul, R. Rashid, M. Accetta:
The Packet Filter: An Efficient Mechanism for User
-
Level Network Code
In Proc. 11th Symposium on Operating Systems Principles, pp 39-51, 1987 and Jeffrey Mogul:
Using screens to implement IP/TCP security policies
, Digital Network Systems Laboratory, NSL Network, Note NN-16, July 1991. Packet filters also have a set of rules, typically combined by a set of implicit or explicit logical operators.
The task of a packet filter is to either accept or reject a packet for further processing.
The logical rules used in packet filters take the form of simple comparisons on individual fields of data packets. Effectively, effecting a such comparison takes the form of evaluating a boolean (logical, truth value) expression. Methods for evaluating such expressions have been well-known in the mathematical literature for centuries. The set of machine-readable instructions implementing the evaluations is traditionally called the filter code.
FIG. 2
illustrates a packet filter
200
with a stored filter code
201
. Input packets
202
are examined one packet at a time in the packet filter
200
and only those packets are passed on as output packets
203
that produce correct boolean values when the logical rules of the filter code are applied.
The individual predicates (comparisons) of packet filter expressions typically involve operands that access individual fields of the data packet, either in the original data packet format or from an expanded format where access to individual fields of the packet is easier. Methods for accessing data structure fields in fixed-layout and variable-layout data structures and for packing and unpacking data into structures have been well-known in standard programming languages like fortran, cobol and pascal, and have been commonly used as programming techniques since 1960's.
The idea of using boolean expressions to control execution, and their use as tests are both parts of the very basis of all modern programming languages, and the technique has been a standard method in programming since 1950's or earlier.
Expressing queries and search specifications as a set of rules or constraints has been a standard method in databases, pattern matching, data processing, and artificial intelligence. There are several journals, books and conference series that deal with efficient evaluation of sets of rules against data samples. These standard techniques can be applied to numerous kinds of data packets, including packets in data communication networks.
A further well-known technique is the compilation of programming language expressions, such as boolean expressions and conditionals, into an intermediate language for faster processing (see, for example, A. Aho, R. Sethi, J. Ullman:
Compilers
-
Principles, Techniques, and Tools
, Addison-Wesley, 1986). Such intermediate code may be e.g. in the form of trees, tuples, or interpreted byte code instructions. Such code may be structured in a number of ways, such as register-based, memory-based, or stack-based. Such code may or may not be allowed to perform memory allocation, and memory management may be explicit, requiring separate allocations and frees, or implicit, where the run time system automatically manages memory through the use of garbage collection. The operation of such code may be stateless between applications (though carrying some state, such as the program counter, between individual intermediate language instructions is always necessary) like the operation of the well-known unix program “grep”, and other similar programs dating back to 1960s or earlier. The code may also carry a state between invocations, like the well-known unix program “passwd”, most database programs and other similar applications dating back to 1960s or earlier. It may even be self modifying like many Apple II games in the early 1980s and many older assembly language programs. It is further possible to compile such intermediate representation into directly executable machine code for further optimizations. All this is well-known in the art and has been taught on university programming language and compiler courses for decades. Newer well-known research has also presented methods for incremental compilation of programs, and compiling portions of programs when they are first needed.
Real-time filtering of large volumes of data packets has required optimization in the methods used to manipulate data. Thus, the standard programming language compilation techniques have been applied on the logical expression interpretation of the rule sets, resulting in intermediate code that can be evaluated faster than the original rule sets. A particular implementation of these well-known methods us
Nikander Pekka
Ylonen Tatu
Falk & Fish
Fish Ronald C.
Peeso Thomas R.
SSH Communications Security Ltd.
LandOfFree
Method and arrangement for implementing IPSEC policy... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and arrangement for implementing IPSEC policy..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and arrangement for implementing IPSEC policy... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2467021