In-line encryption of network data

Description

BACKGROUND

Certain forms of encryption and decryption may be relatively slow to encrypt and/or decrypt network traffic that uses the Internet Protocol (IP). Accordingly, specialized methods of encryption may be necessary to improve the efficiency of such encryption.

SUMMARY

In general, in one aspect, one or more embodiments relate to a method for modifying network traffic data. The method may include: receiving a network traffic data unit by a switching engine; performing an analysis on the network traffic data unit to obtain network tunnel information; generating encryption information based on the network tunnel information; and securing the network traffic data unit, by an encryption engine, based on the encryption information.

In general, in one aspect, one or more embodiments relate to a method for modifying network traffic data. The method may include: receiving an encrypted network traffic data unit, by a decryption engine, comprising: network tunnel information; and decryption information; obtaining an encryption type based on the decryption information; decrypting the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; and generating post-decryption information based on the decrypting.

In general, in one aspect, one or more embodiments relate to a system for modifying network traffic data. The system may include: a switching engine, configured to: receive a network traffic data unit; perform an analysis on the network traffic data unit to obtain network tunnel information; and generate encryption information based on the network tunnel information; and an encryption engine, configured to: secure the network traffic data unit based on the encryption information.

In general, in one aspect, one or more embodiments relate to a system for modifying network traffic data. The system may include: a decryption engine, configured to: receive an encrypted network traffic data unit, comprising: network tunnel information; and decryption information; obtain an encryption type based on the decryption information; decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; and generate post-decryption information based on the decrypted network traffic data unit.

Other aspects of the embodiments disclosed herein will be apparent from the following description and the appended claims.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 shows a system in accordance with one or more embodiments.

FIG. 2A shows a system in accordance with one or more embodiments.

FIG. 2B shows a system in accordance with one or more embodiments.

FIG. 2C shows a system in accordance with one or more embodiments.

FIG. 2D shows a system in accordance with one or more embodiments.

FIG. 2E shows a system in accordance with one or more embodiments.

FIG. 3 shows a flowchart in accordance with one or more embodiments.

FIG. 4 shows a flowchart in accordance with one or more embodiments.

FIG. 5 shows a flowchart in accordance with one or more embodiments.

FIG. 6 shows a flowchart in accordance with one or more embodiments.

FIG. 7 shows an example in accordance with one or more embodiments.

DETAILED DESCRIPTION

Specific embodiments will now be described with reference to the accompanying figures. In the following description, numerous details are set forth as examples of one or more embodiments. It will be understood by those skilled in the art, and having the benefit of this Detailed Description, that one or more embodiments may be practiced without these specific details and that numerous variations or modifications may be possible without departing from the scope of the embodiments disclosed herein. Certain details known to those of ordinary skill in the art may be omitted to avoid obscuring the description.

In the following description of the figures, any component described with regard to a figure, in various embodiments disclosed herein, may be equivalent to one or more like-named components shown and/or described with regard to any other figure. For brevity, descriptions of these components may not be repeated with regard to each figure. Thus, each and every embodiment of the components of each figure is incorporated by reference and assumed to be optionally present within every other figure having one or more like-named components.

Additionally, in accordance with various embodiments disclosed herein, any description of any component of a figure is to be interpreted as an optional embodiment, which may be implemented in addition to, in conjunction with, or in place of the embodiments described with regard to a corresponding like-named component in any other figure.

Throughout the application, ordinal numbers (e.g., first, second, third, etc.) may be used as an adjective for an element (i.e., any noun in the application). The use of ordinal numbers is not to imply or create any particular ordering of the elements nor to limit any element to being only a single element unless expressly disclosed, such as by the use of the terms “before”, “after”, “single”, and other such terminology. Rather, the use of ordinal numbers is to distinguish between the elements. By way of an example, a first element is distinct from a second element, and the first element may encompass more than one element and succeed (or precede) the second element in an ordering of elements.

As used herein, the term ‘operatively connected’, or ‘operative connection’, means that there exists between elements/components/devices a direct or indirect connection that allows the elements to interact with one another in some way (e.g., via the exchange of information). For example, the phrase ‘operatively connected’ may refer to any direct (e.g., wired or wireless connection directly between two devices) or indirect (e.g., wired and/or wireless connections between any number of devices connecting the operatively connected devices) connection.

In general, embodiments relate to methods and systems for modifying (e.g., encrypting and decrypting) network traffic that is transmitted via a network using certain protocols (e.g., Internet Protocol (IP)). Specifically, in one or more embodiments, network traffic that is to traverse a public network via a network tunnel, and is navigating using IP, utilizes a specialized hardware configuration to encrypt and decrypt network traffic such that speed and efficiency of the network traffic may be improved relative to systems that lack such a specialized hardware configuration.

In one or more embodiments, a determination is made that network traffic is intended to traverse a network tunnel and is therefore tagged and encrypted before entering the tunnel. Subsequently, in one or more embodiments, once the encrypted network traffic arrives at a decryption engine at the end of the tunnel, the network traffic is decrypted before being transmitted towards the network traffic's destination.

FIG. 1 shows a system (100) in accordance with one or more embodiments.

In one or more embodiments, the system (100) includes a source device (102), network device A (104) (which includes switching engine A (106) and encryption engine (108)), network (110), network device B (112) (which includes decryption engine (114) and switching engine B (116)), and destination device (118). Each of these devices is described below.

In one or more embodiments, a network device (e.g., network device A (104) and network device B (112)) is a physical device that includes and/or is operatively connected to persistent storage (not shown), memory (e.g., random access memory (RAM)) (not shown), one or more processor(s) (e.g., integrated circuits) (not shown), and at least one physical network port (not shown), which may also be referred to as an interface. Examples of a network device include, but are not limited to, a network switch, a router, a multilayer switch, a fibre channel device, an InfiniBand® device, etc. A network device is not limited to the aforementioned specific examples.

In one or more embodiments, a network device (e.g., 104, 112) includes functionality to receive network traffic data units (e.g., frames, packets, tunneling protocol frames, etc.) at any of the physical network ports (i.e., interfaces) of the network device, and to process the network traffic data units. In one or more embodiments, processing a network traffic data unit includes, but is not limited to, a series of one or more table lookups (e.g., longest prefix match (LPM) lookups, forwarding equivalence class (FEC) lookups, etc.) and corresponding actions (e.g., transmission from a certain egress port, adding a labeling protocol header, rewriting a destination address, encapsulation, etc.). Such a series of lookups and corresponding actions may include how to route/transmit the network traffic data unit in order to transmit the network traffic data unit from an interface of the network device. One or more actions to be taken with regards to a received network traffic data unit may be obtained by a network device based on the network traffic data unit being recognized as located within a particular category, which may have one or more associated actions and/or items of information relevant to processing the network traffic data unit (e.g., label switched path protocol actions, multipath information, egress interface information, etc.).

In one or more embodiments, a network device also includes and/or is operatively connected to device storage and/or device memory (i.e., non-transitory computer readable mediums) storing software and/or firmware. Such software and/or firmware may include instructions which, when executed by the one or more processors (not shown) of a network device, cause the one or more processors to perform operations in accordance with one or more embodiments described herein.

In one or more embodiments, a network device (104, 112) may be capable of receiving and transmitting network data based on specialized routing techniques. For example, in one or more embodiments, a network device (104, 112) is capable of performing a forwarding action based on information obtained from the network traffic data unit. Continuing the example, a network device may be able to receive and analyze a network traffic data unit to identify the existence of forwarding information. Further, in one or more embodiments, if forwarding information is present, the forwarding information may indicate the destination of the network traffic data unit and/or a special routing technique (e.g., a particular network device, or set of network devices (i.e., a network path), through which the network traffic data unit is intended to traverse). Thus, if such forwarding information exists, the network device may be able to transmit that network traffic data unit to the next appropriate network device (e.g., a ‘next-hop’ network device) without having to perform any traditional form of lookups or forwarding (e.g., using a destination IP address to identify an egress port). Further, in one or more embodiments, prior to forwarding the network traffic data unit to the next device, the network device removes a segment of the forwarding information, as that segment is no longer needed, because the next device in the route has been identified.

In one or more embodiments, a network device may be able to identify the destination of a network traffic data unit, perform a lookup, and identify, based on the destination, that the network traffic data unit is intended to traverse the network in a particular path. Accordingly, in one or more embodiments, the network device transmits the network traffic data unit to the next appropriate network device as specified by the lookup. In one or more embodiments, a network device may be capable of utilizing multiprotocol label switching (MPLS), shortest path bridging (SPB), equal-cost multipath routing (ECMP), generalized multiprotocol label switching (GMPLS), and/or any other routing techniques for the forwarding of network traffic data units.

In one or more embodiments, a source device (e.g., source device (102)) is a device that includes functionality to operatively communicate with a destination device (e.g., destination device (118)). More specifically, the source device (e.g., source device (102)) may include functionality to generate and/or transmit network traffic data units addressed to the destination device (e.g., destination device (118)). In one or more embodiments, a source device (e.g., source device (102)) is capable of generating a network traffic data unit that includes (i) a payload and/or (ii) forwarding information.

In one or more embodiments, a source device (102) is a network device (described above). In other embodiments, a source device (e.g., source device (102)) is a computing device that generates a network traffic data unit and transmits that network traffic data unit to a network device (e.g., network device (104)). In one or more embodiments, a computing device is any device or any set of devices capable of electronically processing instructions and may include, but is not limited to, any of the following: one or more processors (not shown), memory (e.g., random access memory (RAM)) (not shown), input and output device(s) (not shown), persistent storage (not shown), one or more physical interfaces (e.g., network ports) (not shown), any number of other hardware components (not shown) or any combination thereof. Examples of computing devices include, but are not limited to, a server (e.g., a blade-server in a blade-server chassis, a rack server in a rack, etc.), a desktop computer, a mobile device (e.g., laptop computer, smart phone, personal digital assistant, tablet computer and/or any other mobile computing device), a virtual machine executing using underlying device hardware, and/or any other type of computing device with the aforementioned requirements.

In one or more embodiments, a switching engine (e.g., switching engine A (106), switching engine B (116)) is any hardware (e.g., circuitry), or a combination of hardware and software, capable of receiving data, processing the data, and transmitting the data. In one or more embodiments, a switching engine (e.g., switching engine A (106) and switching engine B (116)) is a component of a network device (e.g., network device A (104), network device B (112)) that performs some or all of the functionalities of the network device (e.g., network device A (104), network device B (112)). For example, in one or more embodiments, a switching engine (e.g., switching engine A (106), switching engine B (116)) is capable of (i) receiving a network traffic data unit, (ii) analyzing the network traffic data unit to determine a destination (e.g., via a lookup), (iii) determining a network tunnel through which the network traffic data unit is intended to traverse, and/or (iv) appending information to the network traffic data unit that indicates the tunnel to be traversed and what encryption type is intended to be used.

As another example, in one or more embodiments, a switching engine (e.g., switching engine A (106), switching engine B (116)) is capable of receiving a decrypted network traffic data unit, already appended with post-decryption information, and is configured to (i) analyze that post-decryption information to (ii) determine whether the decrypted network traffic data unit was successfully decrypted, and (iii) transmit the decrypted network traffic data unit if the post-decryption information does not indicate any error; or alternatively, a switching engine (e.g., switching engine A (106) and switching engine B (116)) is configured to perform an error action if the post-decryption information indicates that the decryption of an encrypted network traffic data unit was not fully successful.

In one or more embodiments, an encryption engine (e.g., encryption engine (108)) is any hardware (e.g., circuitry), or a combination of hardware and software, capable of receiving data, processing the data to obtain modified data, and transmitting the data. Further, in one or more embodiments, an encryption engine (e.g., encryption engine (108)) may be all or any portion of a network device (e.g., network device (104)). The modification performed by an encryption engine (e.g., encryption engine (108)) may be of any type that transforms the data from one form to another (e.g., encryption, appending of headers and/or tails, addition and/or removal of tags and/or identifiers, authentication, verification, etc.). Further, in one or more embodiments, the modification and/or encryption performed by the encryption engine (e.g., encryption engine (108)) may be similar to, or some variation of, Medium Access Control type Security (MACsec) type as standardized by the Institute of Electrical and Electronics Engineers (IEEE) in IEEE 802.1AE, and/or IP Security (IPsec) Encapsulating Security Payload (ESP) as described in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 4303 and IETF RFC 3948. In one or more embodiments, the encryption performed by the encryption engine (e.g., encryption engine (108)) uses an Advanced Encryption Standard Galois/Counter Mode (AES-GCM) cipher suite. One of ordinary skill in the art, having the benefit of this Detailed Description, will appreciate that an encryption engine may also be capable of performing all of the functions of a decryption engine (described below).

In one or more embodiments, an encryption engine (e.g., encryption engine (108)) may modify only a portion of the network traffic data unit that the encryption engine (e.g., encryption engine (108)) is provided (e.g., modifying only a payload, but not forwarding information). Alternatively, in one or more embodiments, an encryption engine (e.g., encryption engine (108)) may modify at least a portion of both the payload and accompanying forwarding information (e.g., modifying a payload and at least one tunneling header and/or identifier). Additionally, in one or more embodiments, an encryption engine (e.g., encryption engine (108)) may be capable of transmitting or causing the transmission of the data to another device or component after modification. In one or more embodiments, the encryption engine (e.g., encryption engine (108)) is operatively connected to a network (e.g., network (110)).

In one or more embodiments, a network (e.g., network (110)) is a collection of connected network devices that allow for the communication of data from one network device to other network devices, or the sharing of resources among network devices. Examples of a network (e.g., network (110)) include, but are not limited to, a local area network (LAN), a wide area network (WAN) (e.g., the Internet), a mobile network, or any other type of network that allows for the communication of data and sharing of resources among network devices and/or devices (e.g., computing devices) operatively connected to the network (e.g., network (110)). In one or more embodiments, the source device (e.g., source device (102)) is operatively connected to a network (e.g., network (110)) via a network device (e.g., network device A (104)).

In one or more embodiments, a decryption engine (e.g., decryption engine (114)) is any hardware (e.g., circuitry), or a combination of hardware and software, capable of receiving data, processing the data to obtain modified data, and transmitting the data. Further, in one or more embodiments, a decryption engine (e.g., decryption engine (114)) may be all or any portion of a network device (e.g., network device (112)). The modification performed by a decryption engine (e.g., decryption engine (114)) may be of any type that transforms the data from one form to another (e.g., decryption, appending of headers and/or tails, addition and/or removal of tags and/or identifiers, authentication, verification, etc.). Further, in one or more embodiments, the modification and/or decryption performed by the decryption engine (e.g., decryption engine (114)) may be similar to, or some variation of, MACsec as standardized in IEEE 802.1AE, and/or IPsec ESP as described in the IETF RFC 4303 and IETF RFC 3948. In one or more embodiments, the modification and/or decryption performed by the decryption engine (e.g., decryption engine (114)) may use an AES-GCM cipher suite. One of ordinary skill in the art, having the benefit of this Detailed Description, will appreciate that a decryption engine may also be capable of performing all of the functions of an encryption engine (described above).

In one or more embodiments, a decryption engine (e.g., decryption engine (114)) may modify only a portion of the network traffic data unit that the decryption engine (e.g., decryption engine (114)) is provided (e.g., modifying only a payload, but not forwarding information). Alternatively, in one or more embodiments, a decryption engine (e.g., decryption engine (114)) may modify at least a portion of both the payload and accompanying forwarding information (e.g., modifying a payload and at least a portion of the tunneling headers or identifiers). Additionally, in one or more embodiments, a decryption engine (e.g., decryption engine (114)) may be capable of transmitting or causing the transmission of the data to another device or component after modification. In one or more embodiments, the decryption engine (e.g., decryption engine (114)) is operatively connected to a network (e.g., network (110)).

In one or more embodiments, a decryption engine (e.g., decryption engine (114)) is capable of (i) making a determination that an encrypted network traffic data unit specifies a network tunnel terminating at a network device (e.g., network device A (104), network device B (112)) that includes the decryption engine (e.g., decryption engine (114)) (ii) analyzing the encrypted network traffic data unit to determine the encryption type used to encrypt the data therein, (iii) authenticating and decrypting the encrypted portion, (iv) removing forwarding information, and (v) appending other post-decryption information.

While FIG. 1 shows a specific configuration of system (100), other configurations may be used without departing from the scope of the disclosure. For example, although the source device (102) and network device A (104) are shown to be directly connected, there may be one or more other devices (e.g., network devices) between the source device and the network device that operatively connect the source device (102) and network device A (104). Similarly, although the destination device (118) and network device B (112) are shown to be directly connected, there may be one or more other devices (e.g., network devices) between the destination device and the network device that operatively connect the destination device (118) and network device B (112). Additionally, although the source device (102) and network device A (104) are shown to be two separate devices, network device A (104) may be the source device that generates the network traffic data unit. Similarly, although destination device (118) and network device B (112) are shown to be two separate devices, network device B (112) may be the destination device that requests the network traffic data unit from the source device (102). Accordingly, embodiments disclosed herein should not be limited to the configuration of devices and/or components shown in FIG. 1.

FIG. 2A shows a network traffic data unit (200) in accordance with one or more embodiments. In one or more embodiments, FIG. 2A depicts the network traffic data unit (200) as received at a switching engine after transmission from a source device. In one or more embodiments, the network traffic data unit (200) includes inner forwarding information (202) and a payload (204). Each of these components is described below.

In one or more embodiments, forwarding information is data appended to a network traffic data unit. In one or more embodiments, forwarding information indicates a single destination for the network traffic data unit (e.g., via an IP routing scheme). In another embodiment, forwarding information may specify one or more network devices through which the network traffic data unit is intended to traverse (e.g., via an MPLS routing scheme). Further, in one or more embodiments, forwarding information may include a combination of routing techniques (e.g., MPLS header(s) and an IP header) that specifies both (i) a particular path the network traffic data unit is intended to traverse to arrive at a network device (e.g., an MPLS network tunnel) before (ii) being routed in an undetermined path (e.g., IP routing). One of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that any form of routing technique may be specified alone, or in combination with other routing technique(s) in any order. Examples of routing techniques include, but are not limited to, MPLS, GMPLS, SPB, and ECMP.

In one or more embodiments, inner forwarding information (e.g., inner forwarding information (202)) is a form of forwarding information (i.e., data) appended to a network traffic data unit that indicates to a network device to utilize a specific routing technique when processing the network traffic data unit (e.g., network traffic data unit (200)). One of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that the forwarding information may take many forms including, but not limited to, headers, trailers, and/or identifiers. In one or more embodiments, the inner forwarding information (202) also specifies the destination (e.g., the destination device) of the network traffic data unit (200) (e.g., via a destination IP address and/or destination MAC address). In one or more embodiments, the inner forwarding information (202) additionally specifies a unique identifier of the next network device through which the network traffic data unit (200) is intended to traverse (e.g., a network device MAC address).

In one or more embodiments, a payload (e.g., payload (204)) includes the data that is intended to reach the destination device. For example, the payload (204) may include user data requested by the destination device and stored by the source device. Thus, in one or more embodiments, the source device generates the network traffic data unit (200) with appropriate forwarding information so as to facilitate delivery of the payload to the destination device.

In one or more embodiments, in addition to the user data, the payload may include forwarding information. That is, for example, the payload may include Ethernet headers, IP headers, user data, a separate encryption scheme, specifications for routing via a specialized technique, and/or any other form of data. One of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that the payload may, itself, include all of the contents of a network traffic data unit.

While FIG. 2A shows a specific configuration of a network traffic data unit (200), other configurations may be used without departing from the scope of the disclosure. For example, although the network traffic data unit (200) is shown with only inner forwarding information (202) and a payload (204), the network traffic data unit (200) may also include other data and/or metadata including, but not limited to, a preamble, time to live (TTL) data, a start frame delimiter (SFD), other headers, a frame check sequence (FCS), other trailers, and/or flags. Accordingly, embodiments disclosed herein should not be limited to the configuration of portions of a network traffic data unit shown in FIG. 2A.

FIG. 2B shows a network traffic data unit (206) in accordance with one or more embodiments. In one or more embodiments, FIG. 2B depicts the network traffic data unit (206) as received at an encryption engine after transmission from a switching engine. In one or more embodiments, the network traffic data unit (206) includes encryption information (210), outer forwarding information (208), inner forwarding information (212), and a payload (214). Each of these components is described below.

In one or more embodiments, the outer forwarding information (208) is another form of forwarding information, as described above in the description of FIG. 2A. In one or more embodiments, outer forwarding information (208) is separated from the payload (214) and inner forwarding information (212), which is appended nearer to the payload (214) than the outer forwarding information (208). Hence, in one or more embodiments, the adjectives “inner” and “outer” are used herein to describe proximity to the payload (214).

In one or more embodiments, outer forwarding information (e.g., outer forwarding information (208)) may allow for “IP in IP” encapsulation as the inner forwarding information (e.g., inner forwarding information (212)) is fully encapsulated in addition to the payload (e.g., payload (214)). Thus, in one or more embodiments, the inner forwarding information (e.g., inner forwarding information (212)) may be encrypted (in addition to the payload) and still allow for the transmission of the network traffic data unit (e.g., network traffic data unit (206)) using the outer forwarding information (e.g., outer forwarding information (208)).

In one or more embodiments, encryption information (210) indicates the encryption type to be used by the encryption engine. For example, the encryption information (210) may specify AES-GCM type security is to be used to encrypt the inner forwarding information (212) and/or payload (214). In one or more embodiments, the encryption information (210) may be referred to as a Security Association (SA) tag. In one or more embodiments, encryption information (210) may specify one or more SAs (e.g., MACsec Secure Channel Identifier (SCI), encryption key, etc.) to use when encrypting some or all of a network traffic data unit. In one or more embodiments, encryption information (210) may specify one or more encryption parameters (e.g., cipher-suite, encryption keys, etc.). In one or more embodiments, the encryption information (e.g., encryption information (210)) indicates to a network device that the network traffic data unit (206) is to be encrypted without specifying the encryption type; and in such an instance, the encryption engine may perform a pre-determined type of encryption based on the encryption information (e.g., encryption information (210)) lacking an indication of the type of encryption. One of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that any type of suitable encryption may be used to encrypt the inner forwarding information (212) and payload (214).

In one or more embodiments, inner forwarding information (e.g., inner forwarding information (212)) is similar to inner forwarding information as described above in the description of FIG. 2A. In one or more embodiments, payload (e.g., payload (214)) is similar to the payload as described above in the description of FIG. 2A.

While FIG. 2B shows a specific configuration of a network traffic data unit (206), other configurations may be used without departing from the scope of the disclosure. For example, although the network traffic data unit (206) is shown with only outer forwarding information (208), encryption information (210), inner forwarding information (212), and a payload (214), the network traffic data unit (206) may also include other data and/or metadata including, but not limited to, a preamble, TTL data, a SFD, other headers, a FCS, other trailers, and/or flags. Accordingly, embodiments disclosed herein should not be limited to the configuration of portions of a network traffic data unit as shown in FIG. 2B.

FIG. 2C shows an encrypted network traffic data unit (216) in accordance with one or more embodiments. In one or more embodiments, FIG. 2C depicts the encrypted network traffic data unit (216) as received at a decryption engine after transmission from an encryption engine (e.g., via a network). In one or more embodiments, the encrypted network traffic data unit (216) includes outer forwarding information (218), decryption information A (220), encrypted inner forwarding information (222), an encrypted payload (224), and decryption information B (226). Each of these components is described below.

In one or more embodiments, decryption information (e.g., decryption information A (220), decryption information B (226)) is appended to an encrypted network traffic data unit (e.g., encrypted network traffic data unit (216)) during, or immediately after, the encryption of the network traffic data unit by an encryption engine. In one or more embodiments, the decryption information (e.g., decryption information A (220), decryption information B (226)) specifies information necessary for a decryption engine to be able to decrypt the encrypted data of the encrypted network traffic data unit (216). In one or more embodiments, the decryption information (e.g., decryption information A (220), decryption information B (226)) may provide and/or specify (i) the encryption type used (e.g., MACsec, IPsec ESP), (ii) replay protection, (iii) and/or an integrity check value (ICV) for the encrypted network traffic data unit (216).

In one or more embodiments, decryption information A (220) specifies (i) the encryption type used and (ii) the replay protection, whereas decryption information B (226) specifies (iii) the ICV. One of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that any of (i) the encryption type used, (ii) replay protection, (iii) and/or the ICV may be specified and/or provided by both decryption information A (220) and/or decryption information B (226), or some variation thereof.

In one or more embodiments, encrypted inner forwarding information (e.g., encrypted inner forwarding information (222)) is similar to inner forwarding information as described above in the description of FIG. 2A except that the inner forwarding information was modified by the encryption engine. In one or more embodiments, the encrypted inner forwarding information (222) is modified so that the content of the encrypted inner forwarding information (222) is obscured and rendered unreadable without first being decrypted. Accordingly, devices (e.g., network devices in a network path between an encryption engine and a decryption engine) are unable to read and/or modify whatever data is included in the encrypted inner forwarding information (222).

In one or more embodiments, an encrypted payload (e.g., encrypted payload (224)) is similar to the payload as described above in the description of FIG. 2A except that the payload was modified by the encryption engine. In one or more embodiments, the encrypted payload (224) is modified so that the content of the encrypted payload (224) is obscured and rendered unreadable without first being decrypted. Accordingly, devices (e.g., network devices in a network path between an encryption engine and a decryption engine) are unable to read and/or modify whatever data is included in the encrypted payload (224).

In one or more embodiments, outer forwarding information (218) is similar to the outer forwarding information (208) as described above in the description of FIG. 2B.

While FIG. 2C shows a specific configuration of an encrypted network traffic data unit (216), other configurations may be used without departing from the scope of the disclosure. For example, although the encrypted network traffic data unit (216) is shown with only outer forwarding information (218), decryption information A (220), encrypted inner forwarding information (222), an encrypted payload (224), and decryption information B (226), the encrypted network traffic data unit (216) may also include other data and/or metadata including, but not limited to, a preamble, TTL data, a SFD, other headers, a FCS, other trailers, and/or flags. Accordingly, embodiments disclosed herein should not be limited to the configuration of portions of a network traffic data unit as shown in FIG. 2C.

FIG. 2D shows a decrypted network traffic data unit (228) in accordance with one or more embodiments. In one or more embodiments, FIG. 2D depicts the encrypted network traffic data unit (216) as received at a switching engine after transmission from a decryption engine. In one or more embodiments, the decrypted network traffic data unit (228) includes post-decryption information (230), outer forwarding information (231), inner forwarding information (232), and a payload (234). Each of these components is described below.

In one or more embodiments, post-decryption information (e.g., post-decryption information (230)) is data that is appended to a decrypted network traffic data unit (e.g., decrypted network traffic data unit (228)) after the decryption has occurred. In one or more embodiments, post-decryption information (e.g., post-decryption information (230)) may specify (i) a decryption status (e.g., an indication that the decrypted network traffic data unit was previously encrypted), (ii) the encryption type that was used, (iii) whether the decryption was successful (e.g., an error indicator, or absence thereof), and/or (iv) other information about the status of the decrypted network traffic data unit.

In one or more embodiments, inner forwarding information (e.g., inner forwarding information (232)) is similar to inner forwarding information as described above in the description of FIG. 2A. In one or more embodiments, payload (e.g., payload (234)) is similar to the payload as described above in the description of FIG. 2A.

In one or more embodiments, outer forwarding information (231) is similar to the outer forwarding information (208) as described above in the description of FIG. 2B.

While FIG. 2D shows a specific configuration of a decrypted network traffic data unit (228), other configurations may be used without departing from the scope of the disclosure. For example, although the decrypted network traffic data unit (228) is shown with only post-decryption information (230), outer forwarding information (231), inner forwarding information (232), and a payload (234), the decrypted network traffic data unit (228) may also include other data and/or metadata including, but not limited to, a preamble, TTL data, a SFD, other headers, a FCS, other trailers, and/or flags. Accordingly, embodiments disclosed herein should not be limited to the configuration of portions of a network traffic data unit as shown in FIG. 2D.

FIG. 2E shows a network traffic data unit (236) in accordance with one or more embodiments. In one or more embodiments, FIG. 2E depicts the network traffic data unit (236) as received at a destination device after transmission from a switching engine. In one or more embodiments, the network traffic data unit (236) includes inner forwarding information (238) and a payload (240). Each of these components is described below.

In one or more embodiments, inner forwarding information (e.g., inner forwarding information (238)) is similar to inner forwarding information as described above in the description of FIG. 2A. In one or more embodiments, payload (e.g., payload (240)) is similar to the payload as described above in the description of FIG. 2A.

In one or more embodiments, the network traffic data unit of FIG. 2E is substantially similar to the network traffic data unit of FIG. 2A. For example, with the exception of variations to the inner forwarding information (e.g., MAC address of next-hop network device), after the network traffic data unit is tagged, encrypted, transmitted through a network tunnel, decrypted, and untagged, the network traffic data unit appears in substantially the same form with substantially the same data as when first generated by the source device. Accordingly, in one or more embodiments, all of the information appended to the network traffic data unit to process and transmit the network traffic data unit is removed prior to arriving at the destination device. Further, in one or more embodiments, all of the processing (e.g., encryption) is reversed or otherwise undone prior to arriving at the destination device.

While FIG. 2E shows a specific configuration of a network traffic data unit (236), other configurations may be used without departing from the scope of the disclosure. For example, although the network traffic data unit (236) is shown with only inner forwarding information (238) and a payload (240), the network traffic data unit (236) may also include other data and/or metadata including, but not limited to, a preamble, TTL data, a SFD, other headers, a FCS, other trailers, and/or flags. Accordingly, embodiments disclosed herein should not be limited to the configuration of portions of a network traffic data unit as shown in FIG. 2E.

FIG. 3 shows a flowchart describing the operations performed by a switching engine on a network traffic data unit prior to encryption according to one or more embodiments. While the various steps in this flowchart are presented and described sequentially, one of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.

In Step 300, a network traffic data unit is obtained by a switching engine that includes, at least, (i) forwarding information and (ii) a payload. In one or more embodiments, the switching engine may have received the network traffic data unit directly from a source device, or from another intermediary network device operatively connected to the source device. Alternatively, in one or more embodiments, the switching engine may also be the source device that generates the network traffic data unit.

In one or more embodiments, the network device that includes the switching engine is located inside of a private (e.g., not public) network (e.g., site). Accordingly, in one or more embodiments, there is a presumption that the site that includes the network device is sufficiently secure enough to allow for the network traffic data unit to be transmitted in-the-clear (e.g., unencrypted, decrypted, not encrypted), at least until reaching the switching engine.

In Step 302, the switching engine performs a lookup using at least a portion of the network traffic data unit to determine a network tunnel through which the network traffic data unit is to be transmitted. In one or more embodiments, the lookup uses the forwarding information included in the network traffic data unit to determine a path or next network device through which the network traffic data unit is intended to traverse.

In Step 304, a determination is made as to whether the network traffic data unit is intended to traverse a network tunnel. In one or more embodiments, the determination as to whether the network traffic data unit is intended to traverse a network tunnel is performed by analyzing the inner forwarding information appended to the network traffic data unit to identify a specified network tunnel. If the determination is made that the network traffic data unit is not to traverse a network tunnel, the process proceeds to Step 312. However, if the determination is made that the network traffic data unit is intended to traverse a network tunnel, the process proceeds to Step 306.

In Step 306, in one or more embodiments, after the network tunnel is identified, the egress port associated with the network tunnel is determined. In one or more embodiments, the switching engine is configured to identify the egress port by association with the identified network tunnel and/or by performing a lookup to identify an egress port configured to interact with the network tunnel.

In one or more embodiments, the switching engine appends network tunnel information to the network traffic data unit relating to the network tunnel through which the network traffic data unit is intended to traverse. In one or more embodiments, the network tunnel information indicates (i) the port through which the network traffic data unit is intended to be transmitted out of the network device, (ii) the encryption engine to transmit the network traffic data unit towards, and/or (iii) outer forwarding information that specifies the path through the network tunnel and/or a destination device that terminates the network tunnel.

For example, in one or more embodiments, the network tunnel information may specify a port of the network device that includes an encryption engine that is operatively connected to the destination device. Further, in one or more embodiments, the network tunnel information includes the outer forwarding information that specifies a path to traverse over a network. Thus, in one or more embodiments, the appended network tunnel information allows the network traffic data unit to traverse one or more networks to arrive at the network device that terminates the network tunnel.

In Step 308, a determination is made about whether the network traffic data unit needs to be encrypted. If the determination is made that the network traffic data unit is not to be encrypted, the process proceeds to Step 312. Alternatively, if the determination is made that the network traffic data unit is to be encrypted, the process proceeds to Step 310.

In one or more embodiments, the determination as to whether the network traffic data unit needs to be encrypted is based on the destination device, the network tunnel through which the network traffic data unit is assigned to traverse, the port through which the network traffic data unit is assigned to exit the network device, and/or on any other data or metadata associated with the network traffic data unit.

For example, in one or more embodiments, the switching engine is configured to determine that, based on the network tunnel information, all network traffic traversing the associated network tunnel needs to be encrypted. Accordingly, in one or more embodiments, the switching engine makes a determination that the network traffic data unit needs to be encrypted.

In Step 310, encryption information is appended to the network traffic data unit. In one or more embodiments, as described above in the description of FIG. 2B, the encryption information indicates the encryption type to be used by the encryption engine. For example, the encryption information may specify IPsec ESP and/or MACsec type security is to be used to encrypt the inner forwarding information and/or payload. In one or more embodiments, the encryption information merely indicates to a network device that the network traffic data unit is to be encrypted without specifying the encryption type. In one or more embodiments, the encryption information may be referred to as a SA tag. One of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that any type of suitable encryption may be used to encrypt the inner forwarding information and/or the payload.

In Step 312, the network traffic data unit is transmitted towards the encryption engine. In one or more embodiments, depending on the various determinations made prior to transmission to the encryption engine (e.g., determinations made in Step 304 and/or Step 308), the network traffic data unit may be appended with network tunnel information (as appended in Step 306) and with encryption information (as appended in Step 310). In one or more embodiments, regardless of the whether network tunnel information or encryption information is appended to the network traffic data unit, the network traffic data unit is transmitted towards the encryption engine.

FIG. 4 shows a flowchart describing the operations performed by an encryption engine on a network traffic data unit for encryption according to one or more embodiments. While the various steps in this flowchart are presented and described sequentially, one of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.

In Step 400, an encryption engine obtains a network traffic data unit. Depending on the various determinations made by the switching engine (e.g., determinations made in Step 304 and/or Step 308 in FIG. 3), the network traffic data unit may or may not be appended with network tunnel information or encryption information.

In Step 402, a determination is made as to whether valid encryption information is appended to the network traffic data unit. If the network traffic data unit lacks any encryption information, or errors exist within the encryption information, the process proceeds to Step 404. However, if the network traffic data unit is appended with valid encryption information, the process proceeds to Step 406.

In one or more embodiments, encryption information may be invalid or include an error if the encryption specified in the encryption information cannot be performed by the encryption engine and/or the encryption information fails to specify which portion of the network traffic data unit is to be encrypted (and the encryption engine is not configured to make such a determination).

In Step 404, in one or more embodiments, although not shown in FIG. 4, if the network traffic data unit lacks any encryption information or an error exists within the encryption information (as determined in Step 402), the encryption engine may perform an error action that includes (i) dropping the network traffic data unit, (ii) quarantining the network traffic data unit, (iii) alerting a system administrator, (iv) transmitting the network traffic data unit to a system for further analysis/processing, (v) logging the error in an appropriate log of the network device; and/or (vi) any other appropriate action for processing an erroneous decrypted network traffic data unit. Alternatively, in one or more embodiments, if the network traffic data unit lacks any encryption information or an error exists within the encryption information (as determined in Step 402), the encryption engine may transmit the network traffic data unit through an egress port of the network device without any modification.

In one or more embodiments, if the network traffic data unit does not have any network tunnel information (See FIG. 3, Step 304—NO), the network traffic data unit may not have encryption information. In one or more embodiments, if the network traffic data unit is not intended to traverse a network tunnel, but is merely intended to traverse one or more networks unencrypted using the inner forwarding information, the encryption engine will not perform any modification, but rather pass the network traffic data unit through towards the network traffic's destination.

In Step 406, after the determination is made that the network traffic data unit is appended with valid encryption information, a portion of the network traffic data unit is encrypted. In one or more embodiments, the encryption engine performs the encryption type specified by the encryption information and encrypts the portion of the network traffic data unit specified by the encryption information. In one or more embodiments, the portion of the network traffic data unit to be encrypted includes only the payload and the inner forwarding information but not the outer forwarding information. Alternatively, in one or more other embodiments, the portion of the network traffic data unit to be encrypted includes only the payload (and all forwarding information remains unencrypted).

In one or more embodiments, encrypting a portion of the network traffic data unit involves modifying the content of the encrypted portion to obscure and render the encrypted portion as unreadable without first being decrypted. For example, the encrypted portion of the network traffic data unit may be encrypted such that only those devices with the necessary information to decrypt the content are able to read that content. Accordingly, network devices lacking the necessary information to decrypt the encrypted portion are unable to read the data included in the encrypted portion of the network traffic data unit.

In one or more embodiments, the encryption engine generates data unique to network traffic data unit using the network traffic data unit (e.g., a hash, sequence number). Thus, in one or more embodiments, the encryption engine generates data that can be appended to the encrypted network traffic data unit to ensure to any recipient that the content of the encrypted portion was not altered. Further, in one or more embodiments, the encryption engine may generate other data that prevents (or makes more difficult) an attempt to maliciously or fraudulently repeat and/or delay the content and/or transmission of the encrypted network traffic data unit (e.g., a replay attack).

In one or more embodiments, the encryption engine may generally secure the network traffic data unit (or some portion thereof). As used herein, securing a network traffic data unit (or some portion thereof) may include one or more of the processes described above, including (i) encrypting (rendering data unreadable without first being decrypted), (ii) generating a hash and/or sequence number (to make malicious repeating more difficult), (iii) appending decryption information (described below in the description of step 410), and/or (iv) appending and/or modifying any other information that would prevent, or make more difficult, the malicious and/or fraudulent interception, reading, processing, modification, and/or recreation of data of the encrypted network traffic data unit.

In Step 408, the encryption information is removed from the network traffic data unit. In one or more embodiments, as the encrypted portion of the network traffic data unit has been encrypted, the encryption information is removed such that while the encrypted network traffic data unit is traversing a public network, the encryption information cannot be intercepted.

In Step 410, decryption information is appended to the network traffic data unit. In one or more embodiments, as described above in the description of FIG. 2C, decryption information is appended to an encrypted network traffic data unit during, or immediately after, the encrypted portion of the network traffic data unit is encrypted by an encryption engine. In one or more embodiments, the decryption information specifies information necessary for a decryption engine to be able to decrypt the encrypted portions of the encrypted network traffic data unit. In one or more embodiments, the decryption information may provide and/or specify (i) the encryption type used (e.g., MACsec, IPsec ESP), (ii) replay protection, (iii) and/or an ICV for the encrypted network traffic data unit.

In one or more embodiments, the decryption information is broken into two portions (e.g., decryption information A and decryption information B). In one or more embodiments, decryption information A specifies (i) the encryption type used and (ii) the replay protection, whereas decryption information B specifies (iii) the ICV. One of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that any of (i) the encryption type used, (ii) replay protection, (iii) and/or the ICV may be specified and/or provided by decryption information A and/or decryption information B, or some variation thereof.

In Step 412, the encrypted network traffic data unit is transmitted towards the decryption engine (and/or the network device to which the decryption engine belongs). In one or more embodiments, the decryption engine is specified by the outer forwarding information that was appended to the network traffic data unit prior to encryption (See FIG. 3, Step 306). Further, in one or more embodiments, as the outer forwarding information was not encrypted by the encryption engine, the outer forwarding information is utilized by one or more network devices in the path between the encryption engine and the decryption engine that the encrypted network traffic data unit traverses, in order to ensure that the encrypted network traffic data unit is transmitted to the decryption engine.

In one or more embodiments, the encryption engine transmits the encrypted network traffic data unit through an egress port of the network device into a public network (e.g., the Internet). Accordingly, in one or more embodiments, the only unencrypted (e.g., in-the-clear) portions of the encrypted network traffic data unit are the outer forwarding information and the decryption information.

FIG. 5 shows a flowchart describing the operations performed by a decryption engine on an encrypted network traffic data unit according to one or more embodiments. While the various steps in this flowchart are presented and described sequentially, one of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.

In Step 500, a decryption engine obtains a network traffic data unit. In one or more embodiments, the network traffic data unit is an encrypted network traffic data unit, having been previously encrypted by an encryption engine.

Alternatively, in one or more embodiments, the network traffic data unit is not encrypted, having been passed through by the encryption device (See Step 404). In one or more embodiments, the decryption engine is a part of a network device that is operatively connected to a public network (e.g., the Internet), via an ingress port, and the network traffic data unit is received via the ingress port.

In Step 502, a determination is made as to whether the decryption engine (and/or the network device to which the decryption engine belongs) is specified by the outer forwarding information appended to the network traffic data unit. If the outer forwarding information of the network traffic data unit does not specify the decryption engine (or the network device to which the decryption engine belongs) as the network device that terminates the network tunnel, the process proceeds to Step 504. That is, for example, in one or more embodiments, the network device (to which the decryption engine belongs) may be an intermediary network device that acts to relay network traffic data units (encrypted or otherwise) towards a destination.

Alternatively, in one or more embodiments, if the outer forwarding information of the encrypted network traffic data unit does specify the decryption engine (and/or the network device to which the decryption engine belongs) as network device that terminates the network tunnel, the process proceeds to Step 506.

In Step 504, in one or more embodiments, the decryption engine transmits the network traffic data unit towards a destination without modification from the decryption engine. In one or more embodiments, if the outer forwarding information of the network traffic data unit does not indicate the decryption engine (and/or the network device to which the decryption engine belongs), the decryption engine may process the network traffic data unit by transmission to the switching engine without performing decryption. For example, the network device (to which the decryption engine belongs) may merely process the network traffic data unit (encrypted or unencrypted) as ordinary network traffic and transmit the network traffic data unit towards the network traffic data unit's next destination. Alternatively, in one or more embodiments, the decryption engine may be configured to drop any network traffic data unit that does not specify the decryption engine (and/or the network device to which the encryption engine belongs) in the outer forwarding information.

In Step 506, the decryption information appended to the encrypted network traffic data unit is analyzed. In one or more embodiments, as described above in the description of FIG. 2C, decryption information may provide and/or specify (i) the encryption type used (e.g., IPsec ESP, MACsec), (ii) replay protection, (iii) and/or an ICV for the encrypted network traffic data unit. Thus, in one or more embodiments, the decryption information is analyzed to determine the encryption type used.

In Step 508, the decryption engine decrypts the encrypted network traffic data unit based on the decryption information. In one or more embodiments, the decryption engine may also perform other security actions on the encrypted network traffic data unit. For example, the decryption engine may further analyze/utilize the decryption information (appended to the encrypted network traffic data unit by the encryption engine) to ensure that the encrypted network traffic data unit was not maliciously or fraudulently repeated or delayed (e.g., a replay attack). Further the decryption engine may verify that the contents of the encrypted portion of the encrypted network traffic data unit have not been modified (e.g., an integrity check) using the ICV. One of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that any form of security check may be performed upon the encrypted network traffic data unit to verify the secure transmission and content of the payload. In one or more embodiments, if the decryption engine determines that the encrypted network traffic data unit was subject to a replay attack and/or fails an integrity check, the decryption engine may perform an error action that includes (i) dropping the network traffic data unit, (ii) quarantining the network traffic data unit, (iii) alerting a system administrator, (iv) transmitting the network traffic data unit to a system for further analysis/processing, (v) logging the error in an appropriate log of the network device; and/or (vi) any other appropriate action for processing an erroneous decrypted network traffic data unit.

In one or more embodiments, the decryption engine is able to identify the decryption information appended to the encrypted network traffic data unit and decrypt the encrypted portion. For example, the decryption engine may (i) analyze the decryption information and determine determination that a particular encryption type was utilized (e.g., IPsec ESP and/or MACsec type encryption), (ii) be configured to decrypt the encrypted network traffic data unit, and (iii) proceed to decrypt the payload and any inner forwarding information (if present).

In one or more embodiments, the network device that includes the decryption engine is located inside of a private (e.g., not public) network (e.g., site). Accordingly, in one or more embodiments, there is a presumption that the site that includes the decryption engine is sufficiently secure enough to allow for the encrypted network traffic data unit to be decrypted and transmitted in-the-clear (e.g., unencrypted, decrypted, not encrypted) towards a destination device.

In Step 512, post-decryption information is added to the decrypted network traffic data unit. In one or more embodiments, as described above in the description of FIG. 2D, post-decryption information is data that is appended to a decrypted network traffic data unit after the decryption has occurred. In one or more embodiments, post-decryption information may specify (i) status of encryption (e.g., an indication that the decrypted network traffic data unit was previously encrypted), (ii) the encryption type that was used, (iii) whether the decryption was successful (an error indicator, or absence thereof), and/or (iv) other information about the status of the decrypted network traffic data unit.

In Step 514, the decryption engine transmits the decrypted network traffic data unit to the switching engine of the same network device. Alternatively, based on the determinations made prior to transmission of the network traffic data unit, the network traffic data unit may be transmitted without any modification by the decryption engine (See Step 504).

FIG. 6 shows a flowchart describing the operations performed by a switching engine on a decrypted network traffic data unit according to one or more embodiments. While the various steps in this flowchart are presented and described sequentially, one of ordinary skill in the art, having the benefit of this Detailed Description, would appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.

In Step 600, a switching engine obtains a network traffic data unit. In one or more embodiments, the network traffic data unit was decrypted by the decryption engine prior to being obtained by the switching engine (i.e., a decrypted network traffic data unit) and may additionally include post-decryption information.

Alternatively, in one or more embodiments, the network traffic data unit is obtained unaltered by the decryption engine; and, in such an event, the switching engine processes the network traffic data unit using any relevant one or more actions (e.g., to transmit the network traffic data unit, to drop the network traffic data unit, etc.).

In Step 602, a determination is made as to whether the post-decryption information indicates an error. In one or more embodiments, as described above in the description of FIG. 2D, post-decryption information is data that is appended to a decrypted network traffic data unit after the decryption has occurred. In one or more embodiments, post-decryption information may specify (i) status of encryption (e.g., an indication that the decrypted network traffic data unit was previously encrypted), (ii) the encryption type that was used, (iii) whether the decryption was successful (an error indicator, or absence thereof), and/or (iv) other information about the status of the decrypted network traffic data unit (e.g., whether authentication was successful and/or the network traffic data unit was subject to a replay attack).

In one or more embodiments, if an error is indicated (e.g., decryption failed, authentication failed, malicious activity was identified, data is corrupted, etc.) in the post-decryption information, the process proceeds to Step 604. Alternatively, in one or more embodiments, if the switching engine determines that the post-decryption information does not indicate any error, the process proceeds to Step 606.

In Step 604, the switching engine performs an error action based on the determination that the post-decryption information indicates an error. In one or more embodiments, an error action includes (i) dropping the network traffic data unit, (ii) quarantining the network traffic data unit, (iii) alerting a system administrator, (iv) transmitting the network traffic data unit to a system for further analysis/processing, (v) logging the error in an appropriate log of the network device; and/or (vi) any other appropriate action for processing an erroneous decrypted network traffic data unit.

In Step 606, after determining the post-decryption information does not indicate an error, the switching engine removes the post-decryption information. In one or more embodiments, as the decryption of the encrypted network traffic data unit was determined to be successful (as determined in Step 602), the post-decryption information is no longer necessary for the processing and transmission of the decrypted network traffic data unit. Further, the switching engine removes the network tunnel information (e.g., the outer forwarding information and/or tunnel identifier) and the decryption information. In one or more embodiments, as the decrypted network traffic data unit is fully decrypted and within a secure network device, the decryption information (used to decrypt the encrypted network traffic data unit) and the outer forwarding information (used to traverse the network tunnel) are no longer needed for the processing and forwarding of the decrypted network traffic data unit.

In Step 608, the switching engine transmits the decrypted network traffic data unit towards the decrypted network traffic data unit's destination using the inner forwarding information that is now decrypted (and specifies the destination device as generated by the source device). In one or more embodiments, the switching engine transmits the decrypted network traffic data unit through an egress port (of the network device to which switching engine belongs) operatively connected to the destination device.

In one or more embodiments, the decrypted network traffic data unit is of the same form and includes the same data as when originally generated by the source device; for example, as described above with respect to FIG. 2E, the network traffic data unit is substantially similar to the network traffic data unit of FIG. 2A.

In one or more embodiments, after the network traffic data unit is tagged, encrypted, transmitted through a network tunnel, decrypted, and untagged, the network traffic data unit appears in substantially the same form with substantially the same data as when first generated by the source device. Accordingly, in one or more embodiments, all of the information appended to the network traffic data unit to process and transmit the network traffic data unit is removed prior to arriving at the destination device. Further, in one or more embodiments, all of the processing (e.g., encryption) is reversed or otherwise undone prior to arriving at the destination device.

FIG. 7 shows an example system showing a possible configuration for the transmission, encryption, decryption, and further transmission of a network traffic data unit. The following use case is for explanatory purposes only and not intended to limit the scope to this embodiment. Additionally, while the example shows certain aspects of embodiments described herein, all possible aspects of such embodiments may not be illustrated in this particular example.

Use Case 1

In FIG. 7, consider a scenario in which, a network traffic data unit is generated by a source device (702) inside site A (700) including, at least, a payload. In one or more embodiments, site A (700) is considered a secure private network, and thus the transmission of the network traffic data unit in an unencrypted form (i.e., in-the-clear) is permissible. Further, during or immediately after the generation of the network traffic data unit, the source device (702) appends inner forwarding information to the network traffic data unit identifying the destination device (720) as the destination for the network traffic data unit. Further, the source device (702) transmits the network traffic data unit to network device A (704) of site A (700); and switching engine A (706) of network device A (704) receives the network traffic data unit from the source device (702).

Next, switching engine A (706) performs a lookup using the inner forwarding information appended to the network traffic data unit by the source device (702) to determine the network tunnel through which the network traffic data unit is intended to traverse. Further, once the network tunnel is identified, switching engine A (706) makes a determination that the network traffic data unit must therefore exit network device A (704) through an egress port associated with the identified network tunnel. Accordingly, the switching engine appends outer forwarding information to the network traffic data unit that specifies the network tunnel. Accordingly, the network traffic data unit is appended with outer forwarding information that allows the network traffic data unit to traverse a public network in a particular path (e.g., a tunnel) rather than navigating via routing based on the inner forwarding information.

Next, switching engine A (706) makes a determination that the IP network tunnel (that the network traffic data unit is intended to traverse) requires encryption. That is, in one or more embodiments, switching engine A (706) is configured to identify one or more network tunnels and their associated encryption schemes. In this use case, the IP network tunnel that the network traffic data unit is intended to traverse requires AES-GCM type encryption. Accordingly, switching engine A (706) then appends an SA-tag to the network traffic data unit that identifies the type of encryption to be used. Once the SA-tag is appended to the network traffic data unit, switching engine A (706) then transmits the network traffic data unit to the encryption engine (708).

Next, the encryption engine (708) receives the network traffic data unit (now including a payload, inner forwarding information, an SA-tag, and outer forwarding information). The encryption engine (708) then makes the determination that the SA-tag is valid for the encryption engine (708). That is, in one or more embodiments, the encryption engine (708) analyses the SA-tag to ensure that the encryption engine (708) is capable of performing the type of encryption specified, and further that the tunnel identified by the SA-tag is operatively connected to the encryption engine such that the encryption engine (708) may transmit the network traffic data unit accordingly.

Next, the encryption engine (708) encrypts the payload and the inner forwarding information. That is, in one or more embodiments, the encryption engine (708) modifies the data of both the payload and inner forwarding information such that the data is rendered unreadable without first being decrypted. Further, as the SA-tag is no longer needed, the encryption engine (708) removes the SA-tag.

Further, once encrypted, the encryption engine (708) appends decryption information to the encrypted network traffic data unit. Specifically, the encryption engine (708) appends two different segments of decryption information. The first segment includes an indication of (i) the encryption type used and (ii) replay protection, whereas the second segment specifies (iii) the ICV. Once the decryption information is appended to the encrypted network traffic data unit, the encryption engine (708) then transmits the encrypted network traffic data unit through an egress port of network device A (704) to network (710).

Network (710), the Internet, then receives the encrypted network traffic data unit with unencrypted outer forwarding information, an encrypted payload, and encrypted inner forwarding information. Network (710) provides an operative connection between network device A (704) and network device B (714). As the outer forwarding information specifies network device B (714) as the device that terminates the tunnel, the operatively connected network devices of network (710) transmits the encrypted network traffic data unit to network device B (714).

Next, network device B (714) (located inside private network, site B (712)) then receives the encrypted network traffic data unit. Specifically, the decryption engine (716) included in network device B (714) obtains the encrypted network traffic data unit. Once obtained, the decryption engine (716) makes a determination that the unencrypted outer forwarding information of the encrypted network traffic data unit specifies network device B (714) as the tunnel termination device. Next, the decryption engine (716) analyzes the decryption information to identify the type of encryption used to encrypt the encrypted network traffic data unit. Once identified, the decryption engine (716) authenticates and decrypts the encrypted network traffic data unit using the decryption information. That is, in one or more embodiments, the decryption engine (716) is able to utilize the decryption information such that encrypted network traffic data unit may be further modified to return the payload and inner forwarding information back to their pre-encryption state (i.e., decrypted).

Next, the decryption engine (716) appends post-decryption information that indicates that decryption was successful. By mere virtue of having the post-decryption information, the switching engine is able to determine that (i) the (decrypted) network traffic data unit was previously encrypted and (ii) that decryption was successful. Thereafter, the decryption engine (716) then transmits the decrypted network traffic data unit to switching engine B (718).

Next, switching engine B (718) obtains the decrypted network traffic data unit. Switching engine B (718) then analyzes the post-decryption information to determine if the post-decryption information indicates an error (in this use case, the post-decryption information does not indicate an error as decryption was successful). Once the determination is made that the post-decryption information does not indicate an error, switching engine B (718) then removes the post-decryption information as the post-decryption information is no longer needed.

After the post-decryption information is removed, switching engine B (718) then reads the decrypted inner forwarding information to identify the destination specified by the inner forwarding information. In this use case, the inner forwarding information specifies destination device (720) as the destination. Accordingly, switching engine B (718) then transmits the decrypted network traffic data unit towards the destination device (720) via an egress port of network device B (714).

Next, the destination device (720) obtains the decrypted network traffic data unit. At the destination device (720), the network traffic data unit arrives with the payload and inner forwarding information as originally generated. All other forwarding information (e.g., the outer forwarding information) and encryption/decryption information is removed prior to the arrival of the decrypted network traffic data unit at the destination device (720). Accordingly, the destination device (720) may utilize the payload for whatever purpose was intended.

One or more embodiments make it possible to encrypt and/or secure network traffic that utilizes certain routing techniques quickly and efficiently using hardware-based configurations. Specifically, in one or more embodiments, network traffic utilizing, for example, an IP routing and tunneling scheme may be processed by a specially configured network device that includes a switching engine and encryption engine configured to rapidly process and encrypt network traffic. Accordingly, as the network traffic is encrypted via a hardware-based solution, little-to-no latency is added to the process and speed is not comprised for security (thus achieving “line rate” or near “line rate” speeds, even when encrypting and decrypting is active). Further, in one or more embodiments, after traversing a public network fully encrypted via a network tunnel, the encrypted traffic may arrive at another specially configured network device that rapidly decrypts and transmits the network traffic towards the destination.

While one or more embodiments have been described herein with respect to a limited number of embodiments and examples, those skilled in the art, having benefit of this disclosure, will appreciate that other embodiments can be devised which do not depart from the scope of the embodiments disclosed herein. Accordingly, the scope should be limited only by the attached claims.

Claims

1. A method in a first network device for modifying network traffic data, comprising: a first switching engine in the first network device: obtaining a network traffic data unit;performing a lookup, by the first switching engine, to identify a destination using forwarding information contained in the network traffic data unit, andmaking a determination that the network traffic data unit is to traverse a network tunnel based on the destination,appending the network tunnel information to the network traffic data unit in response to a determination that the network traffic data unit is to traverse a network tunnel, wherein the network tunnel information indicates one or more of: (i) a port through which the network traffic data unit is intended to be transmitted out of the network device, (ii) an encryption engine for transmitting the network traffic data unit, and (iii) outer forwarding information that specifies a path through the network tunnel and/or a destination device that terminates the network tunnel;making a determination that encryption of the network traffic data unit is required based at least on the network tunnel information;generating encryption information, by the first switching engine, in response to a determination that encryption of the network traffic data unit is required, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt;appending the encryption information to the network traffic data unit;prior to transmitting the network traffic data unit, securing the network traffic data unit, by an encryption engine in the first network device, using the encryption information appended to the network traffic data unit to create an encrypted network traffic data unit, wherein securing the network traffic data unit comprises: encrypting a portion of the network traffic data unit specified in the encryption information in accordance with the encryption type and the encryption key specified in the encryption information;removing the encryption information from the network traffic data unit; andappending decryption information to the encrypted network traffic data unit; andtransmitting the encrypted network traffic data unit through the network tunnel, based on the network tunnel information, to the identified destination.
2. The method of claim 1, wherein the network tunnel information indicates termination at a device that comprises a decryption engine.
3. The method of claim 1, further comprising: receiving the encrypted network traffic data unit, by a decryption engine, comprising: the network tunnel information; anddecryption information, wherein the decryption information specifies the encryption type;obtaining, by the decryption engine, the encryption type;decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type;generating post-decryption information based on the decrypting;appending, by the decryption engine, the post-decryption information to the network traffic data unit;transmitting the decrypted network traffic data unit to a second switching engine;determining, by the second switching engine, that decrypting the encrypted network traffic data unit was successful based on the post-decryption information;converting, by the second switching engine, the decrypted network traffic data unit into a converted network traffic data unit; andtransmitting, by the second switching engine, the converted network traffic data unit to a destination device.
4. The method of claim 3, wherein obtaining the encryption type comprises: determining that the network tunnel information specifies a device that comprises the decryption engine; andperforming an analysis on the decryption information to obtain the encryption type.
5. The method of claim 4, wherein decrypting the encrypted network traffic data unit comprises: modifying the encrypted network traffic data unit based on the encryption type; andauthenticating a payload of the encrypted network traffic data unit.
6. The method of claim 3, wherein the second switching engine and the decryption engine are both hardware components of a second network device.
7. A system for modifying network traffic data, comprising: a first network device comprising a first switching engine, configured to: obtain a network traffic data unit;perform a lookup using forwarding information contained in the network traffic data unit to identify a destination, andmake a determination that the network traffic data unit is to traverse a network tunnel based on the destination,append the network tunnel information to the network traffic data unit in response to a determination that the network traffic data unit is to traverse a network tunnel, wherein the network tunnel information indicates one or more of: (i) a port through which the network traffic data unit is intended to be transmitted out of the network device, (ii) an encryption engine for transmitting the network traffic data unit, and (iii) outer forwarding information that specifies a path through the network tunnel and/or a destination device that terminates the network tunnel;make a determination that encryption of the network traffic data unit is required based at least on the network tunnel information;generate encryption information based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt;append the encryption information to the network traffic data unit;secure the network traffic data unit, prior to transmitting the network traffic data unit, based on the encryption information to create an encrypted network traffic data unit, including: encrypting a portion of the network traffic data unit specified in the encryption information in accordance with the encryption type and the encryption key specified in the encryption information;removing the encryption information from the network traffic data unit; andappending decryption information to the encrypted network traffic data unit; andtransmit the encrypted network traffic data unit through a network tunnel based on the network tunnel information, to the identified destination.
8. The system of claim 7, wherein the analysis comprises: performing a lookup to identify a destination; anddetermining that the network traffic data unit is to traverse a network tunnel based on the destination,wherein the network tunnel information indicates termination at a device that comprises a decryption engine.
9. The system of claim 7, wherein securing the network traffic data unit comprises: determining that the encryption information is valid;modifying the network traffic data unit based on the encryption type; andafter the modifying: removing the encryption information from the network traffic data unit; andappending decryption information to the network traffic data unit.
10. The system of claim 7, further comprising: a second network device comprising: a decryption engine, configured to: receive the encrypted network traffic data unit, comprising: the network tunnel information; anddecryption information, wherein the decryption information specifies the encryption type;obtain the encryption type based on the decryption information;decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type;generate post-decryption information based on the decrypted network traffic data unit;append the post-decryption information to the network traffic data unit; andtransmit the decrypted network traffic data unit to a second switching engine, andthe second switching engine, configured to: determine that decrypting the encrypted network traffic data unit was successful;convert the decrypted network traffic data unit into a converted network traffic data unit; andtransmit the converted network traffic data unit to a destination device.
11. The system of claim 10, wherein obtaining the encryption type comprises: determining that the network tunnel information specifies a device that comprises the decryption engine; andperforming an analysis on the decryption information to obtain the encryption type.
12. The system of claim 11, wherein decrypting the encrypted network traffic data unit comprises: modifying the encrypted network traffic data unit based on the encryption type; andauthenticating a payload of the encrypted network traffic data unit.
13. The system of claim 10, wherein the switching engine and the decryption engine are both hardware components of the second network device.
14. A non-transitory computer-readable storage device in a network device having stored thereon computer executable instructions, which when executed by a computer in the network device, cause the computer to: obtain a network traffic data unit;perform a lookup using forwarding information contained in the network traffic data unit to identify a destination, andmake a determination that the network traffic data unit is to traverse a network tunnel based on the destination,append the network tunnel information to the network traffic data unit in response to a determination that the network traffic data unit is to traverse a network tunnel, wherein the network tunnel information indicates one or more of: (i) a port through which the network traffic data unit is intended to be transmitted out of the network device, (ii) an encryption engine for transmitting the network traffic data unit, and (iii) outer forwarding information that specifies a path through the network tunnel and/or a destination device that terminates the network tunnel;make a determination that encryption of the network traffic data unit is required based at least on the network tunnel information;generate encryption information in response to a determination that encryption of the network traffic data unit is required, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt;append the encryption information to the network traffic data unit;prior to transmitting the network traffic data unit, secure the network traffic data unit using the encryption information appended to the network traffic data unit to create an encrypted network traffic data unit, wherein securing the network traffic data unit comprises: encrypting a portion of the network traffic data unit specified in the encryption information in accordance with the encryption type and the encryption key specified in the encryption information;removing the encryption information from the network traffic data unit; andappending decryption information to the encrypted network traffic data unit; andtransmit the encrypted network traffic data unit through the network tunnel based on the network tunnel information, to the identified destination.
15. The non-transitory computer-readable storage device of claim 14, wherein the network tunnel information indicates termination at a device that comprises a decryption engine.
16. The non-transitory computer-readable storage device of claim 14, wherein the computer executable instructions, which when executed by the computer, further cause the computer to append decryption information to the encrypted network traffic data unit.
17. The non-transitory computer-readable storage device of claim 14, wherein the computer executable instructions, which when executed by the computer, further cause the computer to: receive the encrypted network traffic data unit comprising: the network tunnel information; anddecryption information, wherein the decryption information specifies the encryption type;obtain the encryption type;decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type;generate post-decryption information based on the decrypting;append the post-decryption information to the network traffic data unit; andtransmit the decrypted network traffic data unit to a switching engine, wherein the switching engine: determines that decrypting the encrypted network traffic data unit was successful based on the post-decryption information;converts the decrypted network traffic data unit into a converted network traffic data unit; andtransmits the converted network traffic data unit to a destination device.
18. The non-transitory computer-readable storage device of claim 17, wherein obtaining the encryption type comprises performing an analysis on the decryption information to obtain the encryption type.
19. The non-transitory computer-readable storage device of claim 18, wherein decrypting the encrypted network traffic data unit comprises: modifying the encrypted network traffic data unit based on the encryption type; andauthenticating a payload of the encrypted network traffic data unit.

CROSS REFERENCE TO RELATED APPLICATIONS

This patent application claims the benefit of U.S. Provisional Patent Application Ser. No. 62/740,302 filed on Oct. 2, 2018 under 35 U.S.C. § 119(e). U.S. Provisional Patent Application Ser. No. 62/740,302 is incorporated herein by reference in its entirety.

US Referenced Citations (628)

Number	Name	Date	Kind
5689247	Welner	Nov 1997	A
5850446	Berger	Dec 1998	A
5961591	Jones	Oct 1999	A
5983273	White	Nov 1999	A
5996076	Rowney	Nov 1999	A
6173157	Godoroja	Jan 2001	B1
6219694	Lazaridis	Apr 2001	B1
6301229	Araujo	Oct 2001	B1
6400722	Chuah	Jun 2002	B1
6449722	West	Sep 2002	B1
6529885	Johnson	Mar 2003	B1
6598075	Ogdon	Jul 2003	B1
6618709	Sneeringer	Sep 2003	B1
6983366	Huynh	Jan 2006	B1
7082140	Hass	Jul 2006	B1
7089214	Wang	Aug 2006	B2
7162649	Ide	Jan 2007	B1
7237260	Yu	Jun 2007	B2
7395336	Santharam	Jul 2008	B1
7418596	Carroll	Aug 2008	B1
7454610	Buer	Nov 2008	B2
7545735	Shabtay	Jun 2009	B1
7577255	Kerstens	Aug 2009	B2
7606936	Mousseau	Oct 2009	B2
7690040	Frattura	Mar 2010	B2
7710886	Standridge	May 2010	B2
7721084	Salminen	May 2010	B2
7738886	Connolly	Jun 2010	B1
7814329	Hutchison	Oct 2010	B1
7826360	Hutchison	Nov 2010	B1
7904717	Pilant	Mar 2011	B2
7934254	Graham	Apr 2011	B2
7957409	Golshan	Jun 2011	B2
7962741	Alexander	Jun 2011	B1
8000344	Frick	Aug 2011	B1
8014317	Ghosh	Sep 2011	B1
8079066	Cordell	Dec 2011	B1
8200971	Edwards	Jun 2012	B2
8320880	Fok	Nov 2012	B2
8422514	Kothari	Apr 2013	B1
8428087	Vincent	Apr 2013	B1
8555350	Shatzkamer	Oct 2013	B1
8613070	Borzycki	Dec 2013	B1
8707020	Lengyel	Apr 2014	B1
8711838	Guichard	Apr 2014	B1
8800010	Hui	Aug 2014	B2
8804504	Chen	Aug 2014	B1
8804736	Drake	Aug 2014	B1
8838999	Sathe	Sep 2014	B1
8880869	Shah	Nov 2014	B1
8891406	Shekhar	Nov 2014	B1
9141831	Mundra	Sep 2015	B2
9178810	Singh	Nov 2015	B1
9246820	Singh	Jan 2016	B1
9300762	Krishnamurthy	Mar 2016	B2
9385596	Yang	Jul 2016	B1
9479435	Kolbe	Oct 2016	B2
9525671	Worsley	Dec 2016	B1
9800474	Bush	Oct 2017	B1
9807121	Levy	Oct 2017	B1
10075418	Stancik	Sep 2018	B1
10212138	Diamant	Feb 2019	B1
10277353	Grammel	Apr 2019	B1
10285155	Dodd-Noble	May 2019	B1
10299128	Suthar	May 2019	B1
10326830	Singh	Jun 2019	B1
10348570	Hegrat	Jul 2019	B1
10367657	Gravel	Jul 2019	B2
10469461	Singh	Nov 2019	B1
10491376	Suthar	Nov 2019	B1
10491569	Powell, III	Nov 2019	B1
10498711	Cassidy	Dec 2019	B1
10523689	Decenzo	Dec 2019	B2
10708245	Sankaran	Jul 2020	B2
10721218	Smith	Jul 2020	B2
10735785	Hamrick, Jr.	Aug 2020	B1
10764244	Mestery	Sep 2020	B1
10785652	Ravindranath	Sep 2020	B1
10790977	Samid	Sep 2020	B1
10826876	Sinn	Nov 2020	B1
10938717	Sundararajan	Mar 2021	B1
10972442	P N	Apr 2021	B1
10992591	Thomas	Apr 2021	B1
10992652	Putatunda	Apr 2021	B2
11297054	Cooper	Apr 2022	B1
11323437	Gupta	May 2022	B1
11411942	Dhammawat	Aug 2022	B1
11418495	Browne	Aug 2022	B2
11516086	Cherian	Nov 2022	B1
11671451	Gupta	Jun 2023	B1
11765087	Balmakhtar	Sep 2023	B1
20020006132	Chuah	Jan 2002	A1
20020009073	Furukawa	Jan 2002	A1
20020013902	Youstra	Jan 2002	A1
20020023220	Kaplan	Feb 2002	A1
20020032797	Xu	Mar 2002	A1
20020049902	Rhodes	Apr 2002	A1
20020109706	Lincke	Aug 2002	A1
20020124169	Agrawal	Sep 2002	A1
20020176414	Miki	Nov 2002	A1
20030210693	Grabner	Nov 2003	A1
20030233584	Douceur	Dec 2003	A1
20040025054	Xue	Feb 2004	A1
20040044739	Ziegler	Mar 2004	A1
20040081109	Oishi	Apr 2004	A1
20040085951	Rezaiifar	May 2004	A1
20040098620	Shay	May 2004	A1
20040123151	Mizrah	Jun 2004	A1
20040123160	Mizrah	Jun 2004	A1
20040139313	Buer	Jul 2004	A1
20040156313	Hofmeister	Aug 2004	A1
20040170173	Pan	Sep 2004	A1
20040213228	Tingle	Oct 2004	A1
20040225880	Mizrah	Nov 2004	A1
20040259640	Gentles	Dec 2004	A1
20040266533	Gentles	Dec 2004	A1
20050005014	Holmes	Jan 2005	A1
20050033957	Enokida	Feb 2005	A1
20050055578	Wright	Mar 2005	A1
20050108571	Lu	May 2005	A1
20050125663	Funk	Jun 2005	A1
20050128979	Wu	Jun 2005	A1
20050129019	Cheriton	Jun 2005	A1
20050131583	Ransom	Jun 2005	A1
20050144437	Ransom	Jun 2005	A1
20050154872	McGrew	Jul 2005	A1
20050154873	Cam-Winget	Jul 2005	A1
20050160290	Moon	Jul 2005	A1
20050177637	Heron	Aug 2005	A1
20050220107	DelRegno	Oct 2005	A1
20050262343	Jorgensen	Nov 2005	A1
20050273850	Freund	Dec 2005	A1
20050278565	Frattura	Dec 2005	A1
20060039382	Hansen	Feb 2006	A1
20060059163	Frattura	Mar 2006	A1
20060075483	Oberle	Apr 2006	A1
20060101262	Haney	May 2006	A1
20060112431	Finn	May 2006	A1
20060136715	Han	Jun 2006	A1
20060140181	Trumper	Jun 2006	A1
20060206933	Molen	Sep 2006	A1
20060208882	Senga	Sep 2006	A1
20060212718	Senga	Sep 2006	A1
20060233166	Bou-Diab	Oct 2006	A1
20060259759	Maino	Nov 2006	A1
20060268818	Chen	Nov 2006	A1
20060274899	Zhu	Dec 2006	A1
20060288405	Albisu	Dec 2006	A1
20060294368	Adams	Dec 2006	A1
20070025241	Nadeau	Feb 2007	A1
20070028001	Phillips	Feb 2007	A1
20070038855	Brown	Feb 2007	A1
20070074280	Callaghan	Mar 2007	A1
20070110248	Li	May 2007	A1
20070121596	Kurapati	May 2007	A1
20070248091	Khalid	Oct 2007	A1
20070253553	Abdul Rahman	Nov 2007	A1
20080028458	Masuhiro	Jan 2008	A1
20080034417	He	Feb 2008	A1
20080037436	Liu	Feb 2008	A1
20080052393	McNaughton	Feb 2008	A1
20080052394	Bugenhagen	Feb 2008	A1
20080052395	Wright	Feb 2008	A1
20080052401	Bugenhagen	Feb 2008	A1
20080072035	Johnson	Mar 2008	A1
20080075073	Swartz	Mar 2008	A1
20080098212	Helms	Apr 2008	A1
20080098464	Mizrah	Apr 2008	A1
20080115203	Elzur	May 2008	A1
20080123555	Qi	May 2008	A1
20080123652	Akyol	May 2008	A1
20080130889	Qi	Jun 2008	A1
20080141023	Qi	Jun 2008	A1
20080172366	Hannel	Jul 2008	A1
20080178258	Loomis	Jul 2008	A1
20080192739	Carrasco	Aug 2008	A1
20080219268	Dennison	Sep 2008	A1
20080239956	Okholm	Oct 2008	A1
20080263363	Jueneman	Oct 2008	A1
20080304485	Sinha et al.	Dec 2008	A1
20080316922	Riddle	Dec 2008	A1
20090055643	Brown	Feb 2009	A1
20090113202	Hidle	Apr 2009	A1
20090113203	Tsuge	Apr 2009	A1
20090154461	Kitani	Jun 2009	A1
20090158040	Chaudhary	Jun 2009	A1
20090193027	Ahn	Jul 2009	A1
20090204850	Zhang	Aug 2009	A1
20090216587	Dwivedi	Aug 2009	A1
20090217032	Guan	Aug 2009	A1
20090222657	Bender	Sep 2009	A1
20090222902	Bender	Sep 2009	A1
20090262937	Hirth	Oct 2009	A1
20090276830	O'Connor	Nov 2009	A1
20090327693	Liang	Dec 2009	A1
20090327695	Molsberry	Dec 2009	A1
20100040061	McGuire	Feb 2010	A1
20100049964	Kondapalli	Feb 2010	A1
20100058054	Irvine	Mar 2010	A1
20100074102	Mutoh	Mar 2010	A1
20100106968	Mori	Apr 2010	A1
20100174901	Khermosh	Jul 2010	A1
20100217882	Yang	Aug 2010	A1
20100223342	Brown	Sep 2010	A1
20100271938	Mutoh	Oct 2010	A1
20100306533	Phatak	Dec 2010	A1
20100312910	Lin	Dec 2010	A1
20100332822	Liu	Dec 2010	A1
20110007901	Ikeda	Jan 2011	A1
20110010435	Okaya	Jan 2011	A1
20110075664	Lambeth	Mar 2011	A1
20110119740	Grayson	May 2011	A1
20110173678	Kaippallimalil	Jul 2011	A1
20110191578	Hayes	Aug 2011	A1
20110231443	Hannel	Sep 2011	A1
20110238986	Kherani	Sep 2011	A1
20110238987	Kherani	Sep 2011	A1
20110252228	Chang	Oct 2011	A1
20110283017	Alkhatib	Nov 2011	A1
20110289565	Resch	Nov 2011	A1
20110320813	Suginaka	Dec 2011	A1
20120011351	Mundra	Jan 2012	A1
20120036245	Dare	Feb 2012	A1
20120072717	Hayes	Mar 2012	A1
20120072979	Cha	Mar 2012	A1
20120180136	Song	Jul 2012	A1
20120183139	Matsuo	Jul 2012	A1
20120207039	Srinivasan	Aug 2012	A1
20120224583	Sergeev	Sep 2012	A1
20120250682	Vincent	Oct 2012	A1
20120250686	Vincent	Oct 2012	A1
20130054761	Kempf	Feb 2013	A1
20130091349	Chopra	Apr 2013	A1
20130091350	Gluck	Apr 2013	A1
20130103818	Koponen	Apr 2013	A1
20130114601	Branscomb	May 2013	A1
20130117856	Branscomb	May 2013	A1
20130132541	Falk	May 2013	A1
20130191907	Falk	Jul 2013	A1
20130212378	Falk	Aug 2013	A1
20130237155	Kim	Sep 2013	A1
20130258963	Mihaly	Oct 2013	A1
20130259060	Liu	Oct 2013	A1
20130276058	Buldas	Oct 2013	A1
20130318570	L.	Nov 2013	A1
20140007222	Qureshi	Jan 2014	A1
20140032758	Barton	Jan 2014	A1
20140078936	Kim	Mar 2014	A1
20140086580	Griswold	Mar 2014	A1
20140093072	Biradar	Apr 2014	A1
20140107875	Beyer	Apr 2014	A1
20140119367	Han	May 2014	A1
20140136589	Wahler	May 2014	A1
20140136838	Mossbarger	May 2014	A1
20140153572	Hampel	Jun 2014	A1
20140192808	Thubert	Jul 2014	A1
20140201516	Bjarnason	Jul 2014	A1
20140226820	Chopra	Aug 2014	A1
20140233412	Mishra	Aug 2014	A1
20140237539	Wing	Aug 2014	A1
20140241247	Kempf	Aug 2014	A1
20140279640	Moreno	Sep 2014	A1
20140280889	Nispel	Sep 2014	A1
20140304500	Sun	Oct 2014	A1
20140373124	Rubin	Dec 2014	A1
20140376378	Rubin	Dec 2014	A1
20140376405	Erickson	Dec 2014	A1
20140376530	Erickson	Dec 2014	A1
20150010152	Proulx	Jan 2015	A1
20150016287	Ganichev	Jan 2015	A1
20150030029	Mohamed	Jan 2015	A1
20150063364	Thakkar	Mar 2015	A1
20150079945	Rubin	Mar 2015	A1
20150098472	Choi	Apr 2015	A1
20150117471	Mizrahi	Apr 2015	A1
20150120916	Frattura	Apr 2015	A1
20150124823	Pani	May 2015	A1
20150127701	Chu	May 2015	A1
20150150115	Le Rouzic	May 2015	A1
20150172169	DeCusatis	Jun 2015	A1
20150207793	Mohamed	Jul 2015	A1
20150237029	Zhang	Aug 2015	A1
20150257003	Norrman	Sep 2015	A1
20150269374	Fan	Sep 2015	A1
20150271270	Edlund	Sep 2015	A1
20150281099	Banavalikar	Oct 2015	A1
20150288704	Huang	Oct 2015	A1
20150319159	Abdul Hameed Khan	Nov 2015	A1
20150319162	Ollikainen	Nov 2015	A1
20150334033	Wang	Nov 2015	A1
20150341326	Premnath	Nov 2015	A1
20150365409	Mohamed	Dec 2015	A1
20150365414	Liang	Dec 2015	A1
20150381386	Sigoure	Dec 2015	A1
20150381531	Huang	Dec 2015	A1
20150381569	Visser	Dec 2015	A1
20160036813	Wakumoto	Feb 2016	A1
20160043996	Syed Mohamed	Feb 2016	A1
20160057121	Metsala	Feb 2016	A1
20160105471	Nunes	Apr 2016	A1
20160117449	Hunn	Apr 2016	A1
20160142386	Snyder, II	May 2016	A1
20160157274	Akiyoshi	Jun 2016	A1
20160182458	Shatzkamer	Jun 2016	A1
20160205095	Morel	Jul 2016	A1
20160210209	Verkaik	Jul 2016	A1
20160218910	Tee	Jul 2016	A1
20160219024	Verzun	Jul 2016	A1
20160219036	Devkar	Jul 2016	A1
20160255050	Grayson	Sep 2016	A1
20160286600	Faccin	Sep 2016	A1
20160301669	Muma	Oct 2016	A1
20160315853	Liste	Oct 2016	A1
20160315963	Fiaschi	Oct 2016	A1
20160328707	Wagner	Nov 2016	A1
20160330125	Mekkattuparamban	Nov 2016	A1
20160352538	Chiu	Dec 2016	A1
20160352632	Nedeltchev	Dec 2016	A1
20160352633	Kapadia	Dec 2016	A1
20160352682	Chang	Dec 2016	A1
20160357957	Deen	Dec 2016	A1
20160373343	Lundqvist	Dec 2016	A1
20160373441	Sirivara	Dec 2016	A1
20160381699	Rubin	Dec 2016	A1
20170017907	Narasimhan	Jan 2017	A1
20170026349	Smith	Jan 2017	A1
20170026355	Mathaiyan	Jan 2017	A1
20170026417	Ermagan	Jan 2017	A1
20170026427	Vuong	Jan 2017	A1
20170033992	Dichtel	Feb 2017	A1
20170048278	Tomasso	Feb 2017	A1
20170085372	Anderson	Mar 2017	A1
20170097841	Chang	Apr 2017	A1
20170099188	Chang	Apr 2017	A1
20170104719	Claes	Apr 2017	A1
20170104850	Arangasamy	Apr 2017	A1
20170104851	Arangasamy	Apr 2017	A1
20170111170	Baghdasaryan	Apr 2017	A1
20170126503	Tsubouchi	May 2017	A1
20170142064	Weis	May 2017	A1
20170142096	Reddy	May 2017	A1
20170169227	Rajcan	Jun 2017	A1
20170171163	Gareau	Jun 2017	A1
20170186260	Bermúdez	Jun 2017	A1
20170214549	Yoshino	Jul 2017	A1
20170222809	Takahashi	Aug 2017	A1
20170244645	Edsall	Aug 2017	A1
20170257260	Govindan	Sep 2017	A1
20170302569	Ramaswamy	Oct 2017	A1
20170323116	Mumford	Nov 2017	A1
20170324566	Kawasaki	Nov 2017	A1
20170325113	Markopoulou	Nov 2017	A1
20170346731	Pukhraj Jain	Nov 2017	A1
20170359317	Anderson	Dec 2017	A1
20170366395	Goldfarb	Dec 2017	A1
20170366416	Beecham	Dec 2017	A1
20170366508	Saraf	Dec 2017	A1
20180007557	Lee	Jan 2018	A1
20180013583	Rubenstein	Jan 2018	A1
20180013798	Pallas	Jan 2018	A1
20180026812	Verkaik	Jan 2018	A1
20180026874	Usman	Jan 2018	A1
20180026884	Nainar	Jan 2018	A1
20180063036	Chandrashekhar	Mar 2018	A1
20180063176	Katrekar	Mar 2018	A1
20180063193	Chandrashekhar	Mar 2018	A1
20180084021	Rubin	Mar 2018	A1
20180091446	Zhang	Mar 2018	A1
20180097656	Knutsen	Apr 2018	A1
20180097722	Callard	Apr 2018	A1
20180102918	Amini	Apr 2018	A1
20180115548	Edsall	Apr 2018	A1
20180123828	Zhang	May 2018	A1
20180145952	Falk	May 2018	A1
20180145981	Du	May 2018	A1
20180152442	Buldas	May 2018	A1
20180167232	Käslin	Jun 2018	A1
20180167307	Barry	Jun 2018	A1
20180232817	Isaacson	Aug 2018	A1
20180248713	Zanier	Aug 2018	A1
20180254919	Van De Velde	Sep 2018	A1
20180255138	Hall	Sep 2018	A1
20180262388	Johnson	Sep 2018	A1
20180287818	Goel	Oct 2018	A1
20180287965	Sindhu	Oct 2018	A1
20180293367	Urman	Oct 2018	A1
20180302269	Sankaran	Oct 2018	A1
20180309595	Ma	Oct 2018	A1
20180314847	Yeo	Nov 2018	A1
20180337889	Panchapakesan	Nov 2018	A1
20180367288	Vrzic	Dec 2018	A1
20180375842	Aschauer	Dec 2018	A1
20180375866	Hillis	Dec 2018	A1
20190007381	Isaacson	Jan 2019	A1
20190013965	Sindhu	Jan 2019	A1
20190028424	Mittal	Jan 2019	A1
20190036736	Gao	Jan 2019	A1
20190068564	Putatunda	Feb 2019	A1
20190081930	Hunt, IV	Mar 2019	A1
20190097745	Mallela	Mar 2019	A1
20190104207	Goel	Apr 2019	A1
20190110214	Shen	Apr 2019	A1
20190110238	Buckley	Apr 2019	A1
20190116165	Polak	Apr 2019	A1
20190116183	Hussain	Apr 2019	A1
20190123994	Zhang	Apr 2019	A1
20190124055	Guo	Apr 2019	A1
20190132296	Jiang	May 2019	A1
20190132314	Haravu	May 2019	A1
20190140826	Carrel	May 2019	A1
20190141021	Isaacson	May 2019	A1
20190141022	Reeve	May 2019	A1
20190158279	Chimakurthy	May 2019	A1
20190158347	Tee	May 2019	A1
20190158985	Dao	May 2019	A1
20190166134	Tzeng	May 2019	A1
20190173856	Gareau	Jun 2019	A1
20190173860	Sankaran	Jun 2019	A1
20190190892	Menachem	Jun 2019	A1
20190190910	Min	Jun 2019	A1
20190191330	Dao	Jun 2019	A1
20190199449	Loprieno	Jun 2019	A1
20190199679	Kottapalli	Jun 2019	A1
20190207915	Schaap	Jul 2019	A1
20190230065	Panchapakesan	Jul 2019	A1
20190230087	Gharout	Jul 2019	A1
20190230675	Papa	Jul 2019	A1
20190253274	Van Dussen	Aug 2019	A1
20190253403	Li	Aug 2019	A1
20190253774	Grammel	Aug 2019	A1
20190268767	Wu	Aug 2019	A1
20190281031	Pothula	Sep 2019	A1
20190288803	Langenbach	Sep 2019	A1
20190288873	Camarillo Garvia	Sep 2019	A1
20190288874	White	Sep 2019	A1
20190306133	Allan	Oct 2019	A1
20190306166	Konda	Oct 2019	A1
20190334813	Raj	Oct 2019	A1
20190342101	Hayes	Nov 2019	A1
20190354685	Tomasso	Nov 2019	A1
20190379572	Yadav	Dec 2019	A1
20190386824	Havaralu Rama Chandra Adiga	Dec 2019	A1
20190394027	Falk	Dec 2019	A1
20200004442	Caswell	Jan 2020	A1
20200007495	Balamurugan	Jan 2020	A1
20200014638	Chen	Jan 2020	A1
20200028711	Janakiraman	Jan 2020	A1
20200029205	Hu	Jan 2020	A1
20200036796	Tollet	Jan 2020	A1
20200044694	Park	Feb 2020	A1
20200052876	Kilian	Feb 2020	A1
20200053083	Kunz	Feb 2020	A1
20200059761	Li	Feb 2020	A1
20200059780	Hess	Feb 2020	A1
20200067943	Falk	Feb 2020	A1
20200068391	Liu	Feb 2020	A1
20200076524	Demchenko	Mar 2020	A1
20200076767	Venaas	Mar 2020	A1
20200120022	Stammers	Apr 2020	A1
20200120132	Fages-Tafanelli	Apr 2020	A1
20200120134	Hill	Apr 2020	A1
20200127978	Sakagami	Apr 2020	A1
20200127983	Asghar	Apr 2020	A1
20200127987	Sharma	Apr 2020	A1
20200128469	Akhavain Mohammadi	Apr 2020	A1
20200143088	Sunkavalli	May 2020	A1
20200145321	Pignataro	May 2020	A1
20200146077	Li	May 2020	A1
20200153871	Lei	May 2020	A1
20200159603	Panda	May 2020	A1
20200162270	Du	May 2020	A1
20200162431	Goldschlag	May 2020	A1
20200162917	Anantha	May 2020	A1
20200177503	Hooda	Jun 2020	A1
20200177632	Han	Jun 2020	A1
20200177654	Mittal	Jun 2020	A1
20200178076	Ben Henda	Jun 2020	A1
20200186447	Song	Jun 2020	A1
20200186507	Dhanabalan	Jun 2020	A1
20200195616	Edgar	Jun 2020	A1
20200195619	Iwata	Jun 2020	A1
20200204591	Yang	Jun 2020	A1
20200213152	Choquette	Jul 2020	A1
20200220843	Hill	Jul 2020	A1
20200244082	Chai	Jul 2020	A1
20200252217	Mathieu	Aug 2020	A1
20200259896	Sachs	Aug 2020	A1
20200267243	Trossen	Aug 2020	A1
20200267623	Altay	Aug 2020	A1
20200287737	Mishra	Sep 2020	A1
20200314144	Gaál	Oct 2020	A1
20200322268	Thoria	Oct 2020	A1
20200322383	Filsfils	Oct 2020	A1
20200351085	Coyle	Nov 2020	A1
20200358764	Hojilla Uy	Nov 2020	A1
20200366651	Gupta	Nov 2020	A1
20200366686	Gaál	Nov 2020	A1
20200367296	Zhu	Nov 2020	A1
20200382471	Janakiraman	Dec 2020	A1
20200382519	Barton	Dec 2020	A1
20200389469	Litichever	Dec 2020	A1
20200402049	Pi Farias	Dec 2020	A1
20200403978	Allen	Dec 2020	A1
20210011781	Wan	Jan 2021	A1
20210021579	Thorslund	Jan 2021	A1
20210029087	Uy	Jan 2021	A1
20210036987	Mishra	Feb 2021	A1
20210044454	Xu	Feb 2021	A1
20210044565	Moreno	Feb 2021	A1
20210058784	Kedalagudde	Feb 2021	A1
20210067329	Coyle	Mar 2021	A1
20210091935	Bush	Mar 2021	A1
20210092103	Acharya	Mar 2021	A1
20210112127	Zhu	Apr 2021	A1
20210112409	Rune	Apr 2021	A1
20210152554	Taft	May 2021	A1
20210168174	Falk	Jun 2021	A1
20210168661	Wong	Jun 2021	A1
20210184914	Myneni	Jun 2021	A1
20210203598	Kompella	Jul 2021	A1
20210211279	Nix	Jul 2021	A1
20210218752	Fischer	Jul 2021	A1
20210227492	Wang	Jul 2021	A1
20210235268	Wu	Jul 2021	A1
20210306853	Gundavelli	Sep 2021	A1
20210321258	Salkintzis	Oct 2021	A1
20210329460	Liao	Oct 2021	A1
20210352047	Singh	Nov 2021	A1
20210392469	Wang	Dec 2021	A1
20210409405	Salajegheh	Dec 2021	A1
20220007184	Ferdi	Jan 2022	A1
20220021605	Bagwell	Jan 2022	A1
20220029800	Sergeev	Jan 2022	A1
20220030428	Li	Jan 2022	A1
20220030429	Lei	Jan 2022	A1
20220038869	Avetoom	Feb 2022	A1
20220052989	Zhao	Feb 2022	A1
20220052992	Zhang	Feb 2022	A1
20220078047	Yao	Mar 2022	A1
20220086145	Lei	Mar 2022	A1
20220086218	Sabella	Mar 2022	A1
20220086236	Zhang	Mar 2022	A1
20220095111	Fu	Mar 2022	A1
20220116770	Li	Apr 2022	A1
20220124091	Corona	Apr 2022	A1
20220131941	Rönneke et al.	Apr 2022	A1
20220132413	Hu	Apr 2022	A1
20220141664	Huang	May 2022	A1
20220150166	Yang	May 2022	A1
20220159750	Song	May 2022	A1
20220174038	Yu	Jun 2022	A1
20220174488	Lei	Jun 2022	A1
20220182804	Han	Jun 2022	A1
20220183088	Huang	Jun 2022	A1
20220191685	Hu	Jun 2022	A1
20220210850	Ke	Jun 2022	A1
20220224684	Schultz	Jul 2022	A1
20220232460	Fu	Jul 2022	A1
20220248363	Ryu	Aug 2022	A1
20220263672	Zhang	Aug 2022	A1
20220264503	Starsinic	Aug 2022	A1
20220279348	Youn	Sep 2022	A1
20220295577	Yao	Sep 2022	A1
20220338110	Balmakhtar	Oct 2022	A1
20220345894	Aghili	Oct 2022	A1
20220353680	Hu	Nov 2022	A1
20220377079	Ingerman	Nov 2022	A1
20220377547	Guo	Nov 2022	A1
20220377819	Zhou	Nov 2022	A1
20220386120	Kim	Dec 2022	A1
20220394595	Zhu	Dec 2022	A1
20220400123	Ayoub	Dec 2022	A1
20220407870	Vega	Dec 2022	A1
20220408255	Howe	Dec 2022	A1
20230036645	Qiao	Feb 2023	A1
20230042442	Kim	Feb 2023	A1
20230044476	Lei	Feb 2023	A1
20230049810	Zhang	Feb 2023	A1
20230064433	Mao	Mar 2023	A1
20230066604	Huang	Mar 2023	A1
20230074886	Armleder	Mar 2023	A1
20230077391	Guo	Mar 2023	A1
20230109272	Ryu	Apr 2023	A1
20230112305	Kaur	Apr 2023	A1
20230133187	Ferdi	May 2023	A1
20230137255	Mestery	May 2023	A1
20230164066	Zhu	May 2023	A1
20230164241	Filippou	May 2023	A1
20230189192	Talebi Fard	Jun 2023	A1
20230224300	Zhang	Jul 2023	A1
20230246839	Mathieu	Aug 2023	A1
20230246950	Kaimal	Aug 2023	A1
20230254694	Ryu	Aug 2023	A1
20230283475	Jiang	Sep 2023	A1
20230300210	Wang	Sep 2023	A1
20230300665	Solanki	Sep 2023	A1
20230300772	Guo	Sep 2023	A1
20230319635	Kang	Oct 2023	A1
20230334172	Ke	Oct 2023	A1
20230336381	Trujillo	Oct 2023	A1
20230336992	Kim	Oct 2023	A1
20230362637	Thiebaut	Nov 2023	A1
20230396557	Pazhyannur	Dec 2023	A1
20230412687	Kim	Dec 2023	A1
20230413212	De Foy	Dec 2023	A1
20240007330	Kim	Jan 2024	A1
20240031798	Zhu	Jan 2024	A1
20240040472	Satyanarayana	Feb 2024	A1
20240048986	Liu	Feb 2024	A1
20240056446	Castellanos Zamora	Feb 2024	A1
20240056807	Yang	Feb 2024	A1
20240064042	Trujillo	Feb 2024	A1
20240073010	Ganguly	Feb 2024	A1
20240073672	Bi	Feb 2024	A1
20240073691	Lehtovirta	Feb 2024	A1
20240129730	Guo	Apr 2024	A1
20240137765	Jost	Apr 2024	A1
20240154820	Groth	May 2024	A1
20240195879	Sabella	Jun 2024	A1
20240214282	Ding	Jun 2024	A1
20240214365	Li	Jun 2024	A1
20240223548	Xu	Jul 2024	A1
20240224158	Zhang	Jul 2024	A1
20240244042	Khan	Jul 2024	A1
20240244455	Chen	Jul 2024	A1
20240267783	Howe	Aug 2024	A1
20240276217	Wang	Aug 2024	A1
20240340709	Li	Oct 2024	A1

Foreign Referenced Citations (2)

Number	Date	Country
106301765	Jan 2017	CN
106657121	May 2017	CN

Non-Patent Literature Citations (33)

Entry
Cisco “Innovations in Ethernet Encyrption (802.1A4 MACsec) for Securing High Speed (1-100GE) WAN Deployments.” White Paper, 2016, pp. 1-22 (Year: 2016).
Cisco (Cisco IOS VPN Configuration Guide, pp. 1-131, 2005) (Year: 2005).
Wilson et al “Improving Security in a Virtual Network by Using Attribute Based Encryption Algorithm,” 2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT], pp. 1-6 (Year: 2016).
Chiquito (Decrypting IPSec VPN Traffic, Mar. 6, 2018, pp. 1-8, retrieved from https://www.linkedin.com/pulse/decrypting-ipsec-vpn-traffic-paulo-chiquito?articleId=6368187318104313856) (Year: 2018).
Li et al “Mimic Encryption System for Network Security,” vol. 6, 2018, pp. 1-20, IEEE Access (Year: 2018).
Choi et al “MACsec Extension over Software-Defined Networks for In-Vehicle Secure Communication,” IEEE, ICUFN 2018, pp. 180-185 (Year: 2018).
Wahid et al “Maximizing Ethernet Security by Switch-based Single Secure Domain,” 2010 Seventh International Conference on Information Technology, IEEE Computer Society, pp. 774-778 (Year: 2010).
Mizrahi “Time Synchonization Security using IPsec and MACsec,” IEEE, pp. 1-6 (Year: 2011).
Wahid “Maximizing Ethernet Security by Switch-based Single Secure Domain,” 2010 Seventh International Conference on Information Technology, IEEE Computer Society, pp. 774-778 (Year: 2010).
Tennekoon et al “On the Effectiveness of IP-Routable Entire-Packet Encryption Service Over Public Networks,” IEEE Access, pp. 73170-73179 (Year: 2018).
Nagashima et al “A Repeater Encryption Unit for IPv4 and IPv6,”: IEEE, pp. 335-340 (Year: 2005).
Zhou et al “An Encryption Algorithm Based on Multi-Connection Transmission,” 2017 17th IEEE International Conference on Communication Technology, IEEE, pp. 1296-1300 (Year: 2017).
Huda et al “Secure Data Exchange using Authenticated Ciphertext-Policy Attributed-Based Encryption,” 2015 International Electronics Symposium, IEEE, pp. 134-139, (Year: 2015).
Aweya, “Introduction to Switch/Router Archtiectures: Shared-Bus and Shared-Memory Based Systems,” First Edition, IEEE, John Wiley & Sons, pp. 1-15 (Year: 2018).
Tennekoon et al “On the Effectiveness of IP-Routable Entire-Packet Encryption Service Over Putblic Networks,” IEEE, Pagers 73170-73179 (Year: 2018).
International Search Report issued in corresponding Application No. PCT/US2019/054340, mailed on Jan. 13, 2020.
Written Opinion issued in corresponding Application No. PCT/US2019/054340, mailed on Jan. 13, 2020.
“IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security”; IEEE Computer Society, IEEE; 2006; https://ieeexplore.ieee.org/document/1678345.
“Special-Purpose Multiprotocol Label Switching (MPLS) Label Values”; IANA; Nov. 8, 2002; https://www.iana.org/assignments/mpls-label-values/mpls-label-values.xhtml.
A. Farrel et al.; “Opportunistic Security in MPLS Networks”; Network Working Group; Internet-Draft; Mar. 28, 2017.
A. Huttunen et al.; “UDP Encapsulation of IPsec ESP Packets”; Network Working Group, RFC 3948; Jan. 2005.
C. Filsfils et al.; “Segment Routing Architecture”; IETF, RFC 8402, Jul. 2018.
C. Kaufman et al.; “Internet Key Exchange Protocol Version 2 (IKEv2)”; Internet Engineering Task Force (IETF), RFC 7296; Oct. 2014.
C. Kaufman; “Internet Key Exchange (IKEv2) Protocol”; Network Working Group, RFC 4306; Dec. 2005.
D. Piper; “The Internet IP Security Domain of Interpretation for ISAKMP”; Network Working Group, RFC 2407; Nov. 1998.
E. Rosen et al.; “MPLS Label Stack Encoding”; Network Working Group, RFC 3032; Jan. 2001.
E. Rosen et al.; “Multiprotocol Label Switching Architecture”; Network Working Group, RFC 3031; Jan. 2001.
International Search Report issued in corresponding Application No. PCT/US2019/054344, mailed on Dec. 5, 2019.
J. Viega et al.; “The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)”; Network Working Group, RFC 4106; Jun. 2005.
K. Kompella et al.; “Allocating and Retiring Special-Purpose MPLS Labels”; Internet Engineering Task Force (IETF), RFC 7274; Jun. 2014.
M. Mahalingam et al.; “Virtual extensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks”; Independent Submission, RFC 7348; Aug. 2014.
S. Kent; “IP Encapsulating Security Payload (ESP)”; Network Working Group, RFC 4303; Dec. 2005.
Written Opinion issued in corresponding Application No. PCT/US2019/054344, mailed on Dec. 5, 2019.

Related Publications (1)

	Number	Date	Country
	20210092103 A1	Mar 2021	US

Provisional Applications (1)

	Number	Date	Country
	62740302	Oct 2018	US

In-line encryption of network data

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

US

International Classifications

Term Extension

Abstract