Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-01-29
2003-11-04
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S224000, C709S226000, C709S229000, C707S793000, C707S793000
Reexamination Certificate
active
06643776
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field of the Invention
This invention pertains to virtual private network (VPN) implementations, a fundamental enabler for E-business. More particularly, it relates to IP security, providing data encryption and authentication at the IP datagram level through the use of VPN policy filters.
2. Background Art
Virtual Private Network (VPN) is a fundamental enabler for electronic business. IP Security, the technology VPNs are built upon, provides data encryption and authentication at the IP datagram level of TCP/IP.
A security policy database (SPD) is, logically, a collection of rules which define how to select IP traffic for the various security associations (SAs). The “SAs” are stored in what is termed the SA database (SAD). Logically, the SPD maps traffic to a particular SA. These are implemented as filter rules. An SPD is a term and concept in the IPsec architecture (RFC 2401), recently approved by the IETF as a proposed standard.
In the prior art, users generate their list of filter rules by hand, and once a set is defined it is an ordered list and is loaded as a set. Once loaded, the set cannot be changed. The rule set is changed by removing the loaded set, and replacing it. It has heretofore not been permitted to load individual filter rules within the set. Thus, the invention objective relates to the dynamic placement of individual filter rules in an existing set of filter rules. The ‘placement problem’ has two aspects, which must be solved in turn. The first is termed the ‘macro’ placement problem, because it deals with the large scale placement of filter rules in the set of all system filter rules.
In accordance with current requirements, to ensure consistent, predictable processing, SPD entries must be ordered and the SPD must always be searched in the same order, so that the first matching entry is consistently selected. This requirement is necessary as the effect of processing traffic against SPD entries must be deterministic, but there is currently no way to dynamically order or structure SPD entries. In addition to the problem of physical arrangement, is the important problem of how the various VPN connections which start and stop dynamically, should relate to each other and existing filter rules.
If all the SPD entries were fairly static, a solution is to present the list of SPD entries in some suitable form to the user, who would then order it, then re-load the new ordering. Aside from the perhaps unappealing mechanics, the problem with this is that the SPD entries are not static. Both initiator and responder-mode connections require dynamically loading new connection filters. It is, therefore, not practical to expect the user to order these filters dynamically. Another approach would be to have the user specify an a priori ordering for connections started locally (say, auto-started or scheduled). The problem with this is that it adds yet another level of complexity to the already complex VPN configuration process, and does not work for responder-mode connections without even additional configuration complexity and perhaps unnecessary restrictions on responder-mode connections.
IP filter rules are processed top-to-bottom, in the order given by the user. IP security introduces a new level of complexity, because the filter rules now have to be placed in the right position dynamically by the system, since IP Security connections are dynamic. These filter rules also have to be removed dynamically. The IP Security (IPsec) Architecture (RFC2401) does not actully define, much less suggest a solution for, the placement problem. There is, therefore, a need in the art for a system and method which gives the user direct and simple control over how its IP Security policy is enforced without requiring the customer to order the filter rules for each IP Security connection.
It is an object of the invention to provide an improved system and method for managing a set of filter rules.
It is a further object of the invention to provide a system and method for dynamically loading individual connection filters in a preexisting set of filters.
It is a further object of the invention to provide a system and method for enforcing a user's security policies, in the absence of started connections. It is a further object of the invention to provide a solution for the macro placement of connection filters.
SUMMARY OF THE INVENTION
In accordance with the invention, a system and method are provided for implementing an IP security policy by manually specifying the order of policy filters within a filter set and thereafter dynamically placing VPN connection filters in the set of filters.
Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment of the invention, taken in conjunction with the accompanying drawings.
REFERENCES:
patent: 5696486 (1997-12-01), Poliquin et al.
patent: 5777549 (1998-07-01), Arrowsmith et al.
patent: 5787428 (1998-07-01), Hart
patent: 5835726 (1998-11-01), Shwed et al.
patent: 05-120340 (1993-05-01), None
patent: 2001-167125 (2001-06-01), None
“Policy-based Routing”, Network iQ Router Reference Manual, Software Release 7.4 DOC-03011-002-9709 (c) 1997, 3 pages. (http://www/3net.co.uk/documentation/rel74/html/ip014.htm).
“Configuring Accept Policies”, Bay Networks Apr. 16, 1996, 2 pages. (http://support.baynetworks.com/library/.tpubs/html/router/soft1000/ip/2917A-260.html).
Technical Report of IEICE IN96-144 “A Study On An Automatic Generation and Recovery . . . ”, Feb. 21, 1997.
RFC 2401 Security Architecture for the Internet Protocol.
Technical Report of IEICE, IN98-199 “A 50 Mpps Longest Prefix Match Search Engine LS1 . . . ”.
Recent Object Orientation Technology '98, pp. 124-132, Firewall Gateway Software Architecture and Framework.
Boden Edward B.
Melville Mark J.
Beckstrand Shelley M.
Hayes Gail
International Business Machines - Corporation
Jackson Jenise
LandOfFree
System and method for dynamic macro placement of IP... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for dynamic macro placement of IP..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for dynamic macro placement of IP... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3183706