Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1999-06-03
2004-04-06
Vanderpuye, Kenneth (Department: 2661)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S401000
Reexamination Certificate
active
06717943
ABSTRACT:
FIELD OF THE INVENTION
The present invention is directed to the routing of data packets. In particular, the present invention is directed to systems which prevent the unauthorized access to packetized information, which reduce processing costs and time, and which prevent the loss of transmitted information.
BACKGROUND OF THE INVENTION
Connectivity and security are two competing objectives of the computing environment in most organizations. The typical modern computing system is built around network communications and supplying transparent access to a multitude of services. The global availability of these services is perhaps the single most important feature of modem computing solutions. Demand for connectivity comes from both outside and inside organizations.
Protecting network services from unauthorized usage is of importance to any organization. Any PC work station, once connected to the Internet can offer all of the features which are offered to any other stations on the network. Using available technology, an organization must give up much of its connectivity in order to prevent the threat of loss or theft, even to the point of eliminating some or all connections to the outside environment or to other sites.
As the need for increased security grows, the means for controlling access to network resources has become an administrative priority for many companies. In order to save costs and maintain productivity, access control must be simple to configure and “transparent” to both users and applications. The minimization of set up costs and down time are also important factors.
Computerized data is typically transmitted in packets. A “packet” is a sequence of bytes delivered by the communication line that are rendered distinct from other sequences of bytes, according to a “protocol” applied when the bytes are “encoded” and decoded. Packet techniques are well know to those skilled in the art and include, for example, the EtherNet Protocol (IEEE Standard 802.3) and various commercial packet protocols such as the Synchronous Datalink Protocol (SDLC) and Expoint 2.5. A “circuit” monitors incoming communication line and determines when the packet begins. Bytes of the packet are then processed until packet reception is complete.
Commercially available circuits and interfaces are known for performing the tasks of recognizing the beginning of a packet and the processing of bytes until complete, for example, as known from a byte count and marker or the like. The generic function of receiving packets is thus well known in the art. However, once a packet or sequence of bytes is extracted from the communication network, there are a variety of possibilities as to how the encoded data are to be processed.
In a conventional broadcast network, the sender of the data packet encodes information that explicitly determines a recipient, or a set of recipients, to whom the data packet is directed. The recipient, or set of recipients, is identified in the packet by the sender inserting specific bytes in the message at the time of transmission. Conventional circuitry as described above, for example, recognizes information at a predetermined byte or bit position, typically in a header block at the start of the packet. This information is used to identify the intended receiver or receivers. Only packets destined for the respective data processing equipment require intervention by that data processing equipment and other packets can be ignored.
“Packet filtering” is a method which allows connectivity, yet provides security by controlling the traffic being passed, thus preventing illegal communication attempts, both within single networks and between connected networks. The current implementation of packet filtering allows specification of access and list tables according to a fixed format. This method is limited in its flexibility by the organizations' security policy. It is also limited to the set of protocols and services defined in that particular table. This method also does not allow the introduction of different protocols or services which are not specified in the original table. Another method of implementing packet filtering is tailoring the computer-operating system code manually in every strategic point in the organization. This method is limited by its flexibility to future changes in network topology, new protocols, enhanced services, and to future security threats. It requires a substantial amount of work by experts modifying proprietary computer programs, making it inefficient and expensive to set up and maintain.
In addition to protecting data transmission, the need for secure long distance communications between enterprises, branch offices and business partners is becoming an essential requirement in modern day business practice. Historically, dedicated point-to-point connections between networks were fully private inter-enterprise commerce and long distance transactions. However, their inflexibility and prohibitive costs have prevented their widespread use. Public networks such as the Internet, provide a flexible and inexpensive solution for long distance inter-networking. Instead of establishing dedicated lines, enterprises can communicate using the Internet as a mediator. Once connected to a local Internet provider, private networks can quickly connect to any destination around the world. These issues force additional security issues.
A number of prior art patents are directed to data routing systems and for methods of providing data security. U.S. Pat. No. 5,805,572 discloses a transparent routing system within the “cluster” which is achieved (without changing the networking code on each “node” of the cluster) by using a pair of “modules” interposed on the networking “stack”. In a “clustered” system built out of several computers, the networking subsystem appears to “applications” as if the applications are running on a single computer. In addition, no modifications to the networking code is needed. The disclosed system is extensible to a variety of networking protocols, allows the routing within the cluster to be performed dynamically. A packet filter and remote communication between the nodules through IDL enable the modules to function.
In U.S. Pat. No. 5,608,662, a “data processor” is connected to a digital communication system such that information packets broadcast on the system are examined to determine if the contents of each packet meet selection criteria, whereupon the packet is “coupled” to the “processor”. A “state machine” or “interface processor” is connected between the processor and the network, and compares packets to the selection criteria, passing accepted packets and blocking rejected ones. The selection criteria are programmed into the state machine as a “decision tree” of any length, configuration or data requirements, preferably by the attached data processor, and can include examination of arbitrary sections of the packet for equality/inequality greater-than/less than, signed and unsigned comparisons and bit mask comparisons. Thus, content is variably examined, as opposed to checking for an address or key code at a given byte position. The state machine operates on recognition instructions including “byte offset” and content specifics. The recognition instructions can include “plural distinct” criteria, determined by the data processor to serve applications programs running in a “multi-tasking” environment. Thus, the data processor compiles a series of recognition instructions that are passed to the state machine as tasks in the multi-taking environment are added or deleted, or when a task decides to change selection requirements. Preferably, “signaling lines” allow the data processor to determine the reason for selection of a packet, for example, by the state machine reporting to the data processor its program count upon acceptance.
U.S. Pat. No. 5,715,418 discloses a system which translates between “physical and logical (or virtual) address spaces” autonomously using information decoded by an address mode translator from command bits within a host CPU
Klehr Harrison Harvey Branzburg & Ellers LLP
Letchford John F.
Vanderpuye Kenneth
LandOfFree
System and method for routing and processing data packets does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for routing and processing data packets, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for routing and processing data packets will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3198008