Integrated policy checking system and method

Description

FIELD OF THE INVENTION

The present invention relates to network policy management, and more particularly to performing policy checking in an efficient manner.

BACKGROUND OF THE INVENTION

IPsec (Internet Protocol Security) is a framework for a set of protocols for security at a network or packet processing layer of network communication. Earlier security approaches inserted security at the application layer of the communications model. IPsec is thus particularly useful for implementing virtual private networks and for remote user access through various connections to private networks.

One advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers. IPsec provides two choices of security service. First provided is an authentication header (AH), which essentially allows authentication of the sender of data. Further provided is an encapsulating security payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific information associated with each of these services is typically inserted into the packet in a header that follows the IP packet header.

In the context of the present description, a security association (SA) is defined as a relationship between two or more entities that describes how the entities utilize security services to communicate effectively. Physically, it may include a structure containing information on a set of agreements for communication including, for example, keys used for the decryption or authentication of packets. Moreover, a security parameter index (SPI) is combined with the destination IP and security protocol (AH or ESP) to uniquely specify an SA. Each AH and ESP header may, for example, contain a 32-bit SPI field.

Prior art FIG. 1 illustrates an exemplary framework 100 of IPSec layers and corresponding SAs in a packet, in accordance with the prior art. As shown, four (4) SAs are provided in the present exemplary framework 100. Of course, however, it should be noted that there could be as few as one and no theoretical limit (i.e. with iterated tunneling). Also note that there is an IP header separating the SAs.

The SAs are arbitrarily labeled A, B, C and D. Another packet may or may not use A, B, C or D, but instead use another SA, such as F (unillustrated). In use, each SA has a limited lifetime and a successor may be setup before it expires so that the successor can seamlessly replace it (without interrupting the connection). In the context of the present description, each generation of an SA is denoted by an associated index. For example, SA F₅would succeed F₄, and so forth. It should be noted that the successor SA may have a completely different identity (SPI) and encryption/authentication keys with respect to any predecessor.

In the past, IPSec processing involving the foregoing framework 100 has typically been carried out utilizing a processor. However, such IPSec processing can be quite cumbersome for a processor, and further drain associated resources during use. Thus, there is a continuing need to integrate IPSec processing into transport offload engines.

Transport offload engines (TOE) are gaining popularity in high-speed systems for the purpose of optimizing throughput and lowering processor utilization. TOE components are often incorporated into one of various systems including printed circuit boards such as a network interface card (NIC), a host bus adapter (HBA), a motherboard; or in any other desired offloading context.

In recent years, the communication speed in networks has increased faster than processor speed. This increase has produced an input/output (I/O) bottleneck. The processor, which is designed primarily for computing and not for I/O, cannot typically keep up with the data flowing through networks. As a result, the data flow is processed at a rate slower than the speed of the network. TOE technology solves this problem by removing the burden from the processor (i.e. offloading processing) and/or I/O subsystem.

While a TOE may be used to offload a processor of IPSec-type processing, such processing is still quite expensive, even for the TOE. There is thus a need for more efficient techniques of performing IPSec-type processing in the context of a system equipped with a TOE.

SUMMARY OF THE INVENTION

A system and method are provided for validating a security service associated with packets communicated on a network. A hash of a security service associated with packets communicated on a network is generated. In use, the security service associated with the packets is validated utilizing the hash.

In embodiment, the security service may include any of the following: authentication, encryption, terms of use of authentication, and/or terms of use of encryption. For example, the security service may include at least one security association (SA), an inner-Internet Protocol (IP) header, etc. More particularly, as an option, the security service may include at least one Internet Protocol Security (IPSec) transformation.

In another embodiment, the hash may be generated utilizing a transport offload engine. Optionally, the hash may be order-dependent, fixed in length, etc. Still yet, the hash may be generated utilizing an XOR operation, a random number, etc. Further, the hash that is generated for a first instance of the security service may be the same as the hash that is generated for a subsequent instance of the security service. Moreover, the security service may include a plurality of security associations and inner-IP headers, and the corresponding hashes may be generated utilizing the same random number.

In use from a server socket (i.e. connection) perspective, upon receipt of a packet, it is determined whether the packet is a synchronize (SYN) packet. If it is determined that the packet is a SYN packet; the SYN packet, an associated Internet Protocol Security (IPSec) transformation, and the hash may be sent from a transport offload engine to a processor.

Thus, it may be determined whether the SYN packet is accepted. If the SYN packet is accepted, a control block may be generated which includes the hash. A SYN acknowledgment (SYN/ACK) packet may then be generated.

In use from a client socket perspective, a client connection is initially requested. Next, a control block is generated which includes the hash. Still yet, a SYN packet may be generated. After waiting for a response, a SYN/ACK packet may be received in response to the SYN packet.

A hash associated with the packet is then calculated, and a control block (which includes the hash) associated with the SYN/ACK packet is retrieved. If the hash associated with the SYN/ACK packet matches the hash associated with the control block, the SYN/ACK packet is accepted. Still yet, if the hash associated with the SYN/ACK packet matches the hash associated with the control block, a handshake ACK packet may be generated. On the other hand, if the hash associated with the SYN/ACK packet does not match the hash associated with the control block, the SYN/ACK packet may be rejected.

Still yet, if it is determined that the packet received is neither a SYN packet nor a SYN/ACK packet, a control block (which includes the hash) associated with the packet may be retrieved, similar to before. If a hash associated with the packet matches the hash associated with the control block, the packet may be accepted. If not, the packet may be rejected.

BRIEF DESCRIPTION OF THE DRAWINGS

Prior art FIG. 1 illustrates an exemplary framework of Internet protocol security (IPSec) layers and corresponding security associations (SAs) in a packet, in accordance with the prior art.

FIG. 2 illustrates a network system, in accordance with one embodiment.

FIG. 3 illustrates an exemplary architecture in which one embodiment may be implemented.

FIG. 4A illustrates an exemplary method for security service validation from a server socket (i.e. connection) perspective, in accordance with one embodiment.

FIG. 4B illustrates a continuation of the security service validation method of FIG. 4A for operation when a synchronize acknowledgment (SYN/ACK) packet is received.

FIG. 4C illustrates a continuation of the security service validation method of FIG. 4A for operation when neither a SYN packet nor a SYN/ACK packet is received.

FIG. 5 illustrates an exemplary method for security service validation from a client socket perspective, in accordance with one embodiment.

FIG. 6 illustrates an exemplary framework for generating a hash, in accordance with one embodiment.

DETAILED DESCRIPTION

FIG. 2 illustrates a network system 200, in accordance with one embodiment. As shown, a network 202 is provided. In the context of the present network system 200, the network 202 may take any form including, but not limited to a local area network (LAN), a wide area network (WAN) such as the Internet, etc.

Coupled to the network 202 are a local host 204 and a remote host 206 which are capable of communicating over the network 202. In the context of the present description, such hosts 204, 206 may include a web server, storage device or server, desktop computer, lap-top computer, hand-held computer, printer or any other type of hardware/software. It should be noted that each of the foregoing components as well as any other unillustrated devices may be interconnected by way of one or more networks.

FIG. 3 illustrates an exemplary architecture 300 in which one embodiment may be implemented. In one embodiment, the architecture 300 may represent one of the hosts 204, 206 of FIG. 2. Of course, however, it should be noted that the architecture 300 may be implemented in any desired context.

For example, the architecture 300 may be implemented in the context of a general computer system, a circuit board system, a game console system dedicated for entertainment purposes, a set-top box, a router, a network system, a storage system, an application-specific system, or any other desired system associated with the network 202.

As shown, the architecture 300 includes a plurality of components coupled via a bus 302. Included is at least one processor 304 for processing data. While the processor 304 may take any form, it may, in one embodiment, take the form of a central processing unit (CPU), a host processor, a chipset (i.e. a group of integrated circuits designed to work and sold as a unit for performing related functions, etc.), or any other desired processing device(s) capable of processing data.

Further included is processor system memory 306 which resides in communication with the processor 304 for storing the data. Such processor system memory 306 (e.g. a computer readable medium) may take the form of on-board or off-board random access memory (RAM), a hard disk drive, a removable storage drive (i.e., a floppy disk drive, a magnetic tape drive, a compact disk drive, etc.), and/or any other type of desired memory capable of storing data.

In use, programs, or control logic algorithms, may optionally be stored in the processor system memory 306. Such programs, when executed, enable the architecture 300 to perform various functions. Of course, the architecture 300 may simply be hardwired.

Further shown is a transport offload engine 312 in communication with the processor 304 and the network (see, for example, network 202 of FIG. 2). In one embodiment, the transport offload engine 312 may remain in communication with the processor 304 via the bus 302. Of course, however, the transport offload engine 312 may remain in communication with the processor 304 via any mechanism that provides communication therebetween. The transport offload engine 312 may include a transport (i.e. TCP/IP) offload engine (TOE), system, or any integrated circuit(s) that is capable of managing the data transmitted in the network.

While a single bus 302 is shown to provide communication among the foregoing components, it should be understood that any number of bus(es) (or other communicating mechanisms) may be used to provide communication among the components. Just by way of example, an additional bus may be used to provide communication between the processor 304 and processor system memory 306.

During operation, the transport offload engine 312, processor 304 and/or software works to validate a security service associated with packets communicated on a network. It should thus be noted that the present technology may be implemented in hardware, software, or both.

In the context of the present description, such security service may include any of the following: authentication, encryption, terms of use of authentication, terms of use of encryption and/or any service related to security. For example, the security service may include at least one security association (SA), an inner-Internet Protocol (IP) header, etc. Again, an SA may include a relationship between two or more entities that describes how the entities utilize a security service to communicate effectively. More information will be set forth regarding inner-IP headers during reference to FIG. 6. More particularly, as an option, the security service may include at least one Internet Protocol Security (IPSec) transformation.

To accomplish the aforementioned validation, a hash of the security service is generated by the transport offload engine 312, the processor 304, or any other mechanism (i.e. hardware and/or software). Thus, in use, the security service associated with the packets may be validated utilizing the hash.

To this end, security service validation may be carried out in an improved and/or more efficient manner. More information will now be set forth regarding one exemplary method by which the hash is generated and utilized in the foregoing manner.

FIGS. 4A-C illustrate an exemplary method 400 for security service validation from a server socket (i.e. connection) perspective, in accordance with one embodiment. As an option, the method 400 may be carried out in the context of the exemplary architecture 300 of FIG. 3. Of course, however, it should be noted that the method 400 may be implemented in any desired context. Moreover, while various functions may be attributed to exemplary components (i.e. like those set forth hereinabove), it is important to understand that the various functionality may be carried out by any desired entity.

As shown in FIG. 4A, a packet is received. See operation 402. In one embodiment, the packet may be received utilizing a transport offload engine (see, for example, transport offload engine 312 of FIG. 3). Next, in operation 404, the packet is decrypted and/or authenticated, utilizing the transport offload engine. Such decryption and/or authentication may be accomplished utilizing an ordered-list of Internet Protocol Security (IPSec) transformations.

More information regarding this IPSec and related processing may be found with reference to an application entitled “GIGABIT ETHERNET ADAPTER SUPPORTING THE ISCSI AND IPSEC PROTOCOLS” filed Jun. 5, 2003 under Ser. No. 10/456,871, which is incorporated herein by reference in its entirety.

Thereafter, continued operation varies depending on whether the incoming packet includes a synchronize (SYN) packet, a SYN acknowledgment (SYN/ACK), or neither. Specifically, in decision 406, it is determined whether the present packet is a SYN packet. This may be accomplished utilizing the transport offload engine or a processor (see, for example, processor 304 of FIG. 3).

In the context of the present description, a SYN packet may include any packet, signal, etc. that initiates the synchronization process necessary to establish a connection. Moreover, the SYN packet may include a header flag identifying the packet as a SYN packet. Such flag may thus be used in making the decision 406. As will soon become apparent, such SYN packet may be received from a remote TCP host. More information regarding similar operation from a client socket perspective will be set forth in greater detail during reference to FIG. 5.

If the present packet is a SYN packet per decision 406, the decrypted and/or authenticated SYN packet, the IPSec transformations, and the hash are sent from the transport offload engine to the processor. See operation 410. To this end, the processor is capable of performing further IPSec processing on the SYN packet. Specifically, the processor may perform IPSec policy checking at the TCP layer to determine whether the SYN packet (and the related connection) should be allowed.

If the IPSec policy checking is successful and the processor determines that the SYN packet (and the related connection) should be allowed (see decision 412), a control block is generated which includes the hash, utilizing the transport offload engine. Note operation 414. In the context of the present description, the control block may include any data structure including the hash and any other information capable of facilitating network socket management.

Optionally, the aforementioned hash may be order-dependent, fixed in length, etc. Still yet, the hash may be generated utilizing an XOR operation, a random number, etc. Such random number may further be unique to a security association, and any descendents of the security association. Further, the hash that is generated for a first instance of the security service may be the same as the hash that is generated for a subsequent instance of the security service. In any case, in the context of the present description, the hash may include any unique (or substantially unique) key associated with the security service (as defined herein). More information regarding one exemplary way in which the hash may be calculated will be set forth during reference to FIG. 6.

A SYN/ACK packet may then be generated and sent in response to the SYN packet, utilizing the transport offload engine. Note operation 416. Such SYN/ACK packet may serve as the second of three packets that, together, are capable of establishing a socket connection.

Returning to decision 406 of FIG. 4A, if the present packet is not a SYN packet, it is then determined whether the packet is a SYN/ACK packet in decision 408. If so, the process continues in FIG. 4B, as indicated.

With reference now to FIG. 4B, a control block (which includes the aforementioned hash) associated with the SYN/ACK packet may be retrieved. See operation 418. In particular, the control block associated with the connection corresponding with the SYN/ACK packet may be retrieved. To this end, a comparison of the hashes may be made by the transport offload engine, as indicated by decision 420.

As an option, an IPSec enable bit may be included in a control block associated with a socket connection. The IPSec enable bit may be used to indicate whether the associated connection should be IPSec protected or not. When a packet is received, a bit is tracked along with the packet to indicate whether the packet received included any IPSec protocols. In this manner, the IPSec bit tracked with the received packet may be compared to the IPSec enable bit in the control block associated with the received packet. If the two aforementioned bits do not match, then the packet may be rejected. A secondary measure of integrity is thus provided over and above that provided by the use of the hash.

Returning now to FIG. 4B, if the hash associated with the SYN/ACK packet matches the hash associated with the control block, the SYN/ACK packet may be accepted. See operation 424. In such case, a handshake ACK packet may be generated and sent over the network, thus completing the connection establishment process. Note operation 426. On the other hand, if the hash associated with the SYN/ACK packet does not match the hash associated with the control block (per decision 420), the SYN/ACK packet may be rejected. Note operation 422.

Returning again to FIG. 4A, if it is determined that the packet is neither a SYN packet nor a SYN/ACK packet (note operations 406 and 408), operation may continue per FIG. 4C. Specifically, a control block (which includes the hash) associated with the packet may be retrieved, similar to before. See operation 430. If a hash associated with the packet matches the hash associated with the control block (per decision 432), the packet may be accepted. See operation 436. If, not, the packet may be rejected, as indicated in operation 434.

Similar to before, an IPSec enable bit indicating whether IPSec protocols should be used on the socket connection may be extracted from the control block associated with the received packet at this point in time. The IPSec enable bit, is then compared to a bit which indicates whether the received packet included at least one IPSec protocol. Assuming that there is a match, operation may continue as follows. Otherwise, a failed match may terminate further operation.

FIG. 5 illustrates an exemplary method 500 for security service validation from a client socket (i.e. connection) perspective, in accordance with one embodiment. As an option, the method 500 may be carried out in the context of the exemplary architecture 500 of FIG. 3 and, in combination with the server method 400 of FIGS. 4A-4C Of course, however, it should be noted that the method 500 may be implemented in any desired, sole context. Moreover, while various functions may be attributed to exemplary components (i.e. like those set forth hereinabove), it is important to understand that the various functionality may be carried out by any desired entity.

As shown, a client connection is initially requested, as indicated in operation 502. This may be accomplished in any desired manner. Just by way of example, a processor (see, for example, processor 304 of FIG. 3) may initiate the connection establishment process. Next, IPSec processing is performed in operation 504. Specifically, at least one IPSec policy is consulted or used for calculating a hash in a manner similar, if not identical, to that described hereinabove.

Next, in operation 506, a control block is generated which includes the hash, utilizing the transport offload engine. Still yet, in operation 508, a SYN packet may be generated and transmitted to a remote TCP host.

At this point, the present method 500 waits for a SYN/ACK packet response in operation 509, assuming that the hash is legitimate. After waiting for a response, the SYN/ACK packet may be received in operation 510.

A hash associated with the packet is then calculated in operation 512 during the course of either a decryption and/or authentication of the packet, similar to that disclosed during reference to operation 404 of FIG. 4A. Since, from the client perspective, many different packet types may be received after generating the SYN packet in operation 508, it is determined in decision 516 whether the packet received in operation 510 is a SYN/ACK packet. If the packet is indeed a SYN/ACK packet per decision 516, a control block (which includes the earlier calculated hash) associated with the connection of the SYN/ACK packet is retrieved. Note operation 520.

Another comparison operation is then made in decision 516. If the hash associated with the SYN/ACK packet matches the hash associated with the control block, the SYN/ACK packet is accepted. See operation 520. Moreover, a handshake ACK may be generated and transmitted in response to the SYN/ACK packet, as indicated in operation 522. Subsequent incoming packets after the handshake ACK is transmitted are processed in accordance to FIGS. 4A-C. If, however, the hash associated with the SYN/ACK packet does not match the hash associated with the control block, the SYN/ACK packet is rejected in operation 518.

To this end, IPSec processing may optionally be offloaded from the processor, utilizing the transport offload engine. Further, the security service may be validated at a network protocol layer that resides above the IPSec protocol layer, to facilitate processing. More information will now be set forth regarding one exemplary technique by which the aforementioned hashes may be calculated.

FIG. 6 illustrates an exemplary framework 600 involved in generating a hash, in accordance with one embodiment. As an option, the framework 600 may be used in the context of the disclosure of the previous figures. For example, the framework 600 may be used in the context of operations 404 of FIG. 4A, and operations 504 and 512 of FIG. 5.

Of course, however, it should be noted that the framework 500 may be implemented in any desired context. Most importantly, the exemplary framework 500 is set forth for illustrative purposes only, and should not be considered as limiting in any manner.

In use, a function is applied to a plurality of security associations (SAs) and inner-IP headers. Such function, in one embodiment, may include an order-dependent XOR checksum with rotate operation. Note Equation (s) #1.

H′=ROL(H)XOR RAND[x] Equation(s) #1

As shown, RAND[x] includes a random value stored in the SA for SA handle ‘x’, where a handle includes an identifier that references a particular SA. There is also a special case denoted by ‘RAND[IP]’ where IP denotes the encounter of any inner-IP header instead of an SA handle, and is stored separately. Moreover, ROL is a rotate-left operator. H′ includes the new hash value, while H includes the old hash value (initially set to 0).

Thus, to apply to an ordered list of SA handles and IP headers {s, t, IP, u}, where ‘IP’ denotes the encounter of an inner IP header, the operations of Equation (s) #2 would be carried out.

H=0
H′=ROL(H)XOR RAND[s]
H″=ROL(H′)XOR RAND[t]
H′″=ROL(H″)XOR RAND[IP]
H″″=ROL(H′″)XOR RAND[u] Equation(s) #2

By this design, an attacker cannot successfully use the same SA handle as the host it is trying to spoof without knowing the hash for that SA-handle. Therefore, an attacker may use a different SA handle, and this results in another random hash value.

Thus, in the present embodiment, it is still possible for an attacker to use a brute force attack. The number of tries needed to randomly collide with a given hash with probability ½ is ln(2)*(2³²) for a 32-bit hash. To protect against this, an exception may be generated by the transport offload engine when there is an authenticated packet that does not have a matching hash. This may be used as a strong indicator of an attack.

It is improbable that a corrupted TCP/IP packet would pass TCP checksum, IP checksum, and authentication; but then fail the hash test. In this case, the best course of action may be to deny or limit further Internet security association and key management protocol (ISAKMP) establishment with the attacker source IP address. The attacker thus has a very high probability of being identified because the hash used would be the attacker's hash, which has a probability of at most (2¹⁶)/(2³²)=1/(2¹⁶) of colliding with another hash. This assumes at most 2¹⁶SAs are supported on the receive side. If more SAs are to be supported, the number of bits for the hash should be increased.

To further increase confidence, subsequent attempts by the attacker again have only a 1/(2¹⁶) chance of colliding, therefore after ‘p’ attempts there is only a 1/(2¹⁶)^pchance of ambiguous identity. Since on the order of 2¹⁶attempts are needed to successfully spoof the connection, it can be assured that the attacker can be identified and further ISAKMP negotiations with him/her halted until all existing SAs have retired (that is, until the system is outside the scope of this attack).

Thus, the aforementioned function yields one number H, the hash. As mentioned earlier, this hash may be compared against pre-calculated stored values in a connection management database/data structure which may be re-calculated as part of establishing a connection (based on an actual IPSec policy database, etc.). Each packet may thus be accepted or rejected based on a similar comparison.

In one embodiment, the aforementioned function may ensure that only packets with the following SAs and IP headers of Table #1 are acceptable (in order).

TABLE 1

(A_i, B_j, IP, C_k, D_l) for all i, j, k, l

Thus, a packet may be rejected if the associated SAs are in the wrong order. Note Table #2.

TABLE 2

(B₁, A₀, IP, C₃, D₂)

Further, a packet may be rejected if the packet has too few or too many SAs. Note Table #3.

TABLE 3

(A₁, B₃, IP, C₂)

Still yet, a packet may be rejected if the packet has a wrong SA(s). Note Table #4.

TABLE 4

(A₀, F₅, IP, C₃, D₂)

Still yet, a packet may be rejected if the packet has too many or too few IP headers. Note Table #5.

TABLE 5

(A₀, B₅, IP, C₃, D₂, IP)

Still yet, a packet may be rejected if the packet has IP headers in the wrong position. Note Table #6.

TABLE 6

(A₀, B₅, C₃, IP, D₂)

Thus, a one-time-pad may be applied so that each current and future A_k(where k=0 . . . x) maps to one fixed (randomly chosen) value, which may be subsequently used as a substitute, at least in part, for resource-intensive conventional IPSec processing.

While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims

1. A method for validating a security service associated with packets communicated on a network, comprising: receiving a packet at a transport offload engine;decrypting and authenticating the packet utilizing the transport offload engine, the decrypting utilizing an Internet Protocol Security (IPSec) transformation;calculating a hash of a security service based on the packet, utilizing the transport offload engine;determining whether the packet is a SYN packet utilizing the transport offload engine;in response to a determination that the packet is a SYN packet: sending the SYN packet from the transport offload engine to a processor,sending the IPSec transformation from the transport offload engine to the processor, andsending the hash from the transport offload engine to the processor; performing IPSec policy checking of the SYN packet utilizing the processor;determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor;in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash utilizing the transport offload engine, the control block for network socket management;generating the SYN/ACK packet based on the SYN packet, utilizing the transport offload engine; andsending the SYN/ACK packet utilizing the transport offload engine.
2. The method as recited in claim 1, wherein the security service includes at least one of: authentication, encryption, terms of use of authentication, and terms of use of encryption.
3. The method as recited in claim 2, wherein the security service includes at least one of a security association and an inner-Internet Protocol (IP) header.
4. The method as recited in claim 2, wherein the security service includes the IPSec transformation.
5. The method as recited in claim 1, wherein the hash is order-dependent.
6. The method as recited in claim 1, wherein the hash has a fixed length.
7. The method as recited in claim 1, wherein the hash is generated utilizing an XOR operation.
8. The method as recited in claim 1, wherein the hash is generated utilizing a random number.
9. The method as recited in claim 8, wherein the random number is unique to a security association and any descendents of the security association.
10. The method as recited in claim 1, wherein the hash that is generated for a first instance of the security service is the same as the hash that is generated for a subsequent instance of the security service.
11. The method as recited in claim 1, and further comprising determining whether the packet is a synchronize acknowledgement (SYN/ACK) packet.
12. The method as recited in claim 11, if it is determined that the packet is the SYN/ACK packet, further comprising retrieving another control block associated with the SYN/ACK packet, which includes another hash.
13. The method as recited in claim 12, wherein, if the another hash associated with the SYN/ACK packet matches the hash associated with the control block, further comprising accepting the SYN/ACK packet, and generating a handshake ACK packet.
14. The method as recited in claim 12, wherein, if the another hash associated with the SYN/ACK packet matches the hash associated with the control block, further comprising generating a handshake ACK packet.
15. The method as recited in claim 12, wherein, if the another hash associated with the SYN/ACK packet does not match the hash associated with the control block, further comprising rejecting the SYN/ACK packet.
16. The method as recited in claim 1, and further comprising determining whether the packet is neither a synchronize (SYN) packet nor a synchronize acknowledgement (SYN/ACK) packet.
17. The method as recited in claim 16, if it is determined that the packet is neither the SYN packet nor the SYN/ACK packet, further comprising retrieving another control block associated with the packet, which includes another hash.
18. The method as recited in claim 17, wherein, if the another hash associated with the packet matches the hash associated with the control block, further comprising accepting the packet.
19. The method as recited in claim 17, wherein, if the another hash associated with the packet does not match the hash associated with the control block, further comprising rejecting the packet.
20. The method as recited in claim 1, and further comprising requesting a client connection.
21. The method as recited in claim 20, and further comprising generating another synchronize (SYN) packet.
22. The method as recited in claim 21, and further comprising receiving another SYN/ACK packet in response to the another SYN packet.
23. The method as recited in claim 22, and further comprising calculating another hash associated with the another SYN/ACK packet.
24. The method as recited in claim 23, wherein, if the another hash associated with the another SYN/ACK packet matches the hash associated with the control block, further comprising accepting the another SYN/ACK packet, and generating a handshake ACK packet.
25. The method as recited in claim 23, wherein, if the another hash associated with the another SYN/ACK packet does not match the hash associated with the control block, further comprising rejecting the another SYN/ACK packet.
26. The method as recited in claim 1, wherein the security service is validated at a network protocol layer that resides above an IPSec protocol layer.
27. The method as recited in claim 1, wherein at least one of the decrypting and the authenticating is performed on the packet utilizing an ordered-list of IPSec transformations.
28. The method as recited in claim 1, wherein the IPSec transformation includes an IPSec transformation utilized to perform the decrypting and the authenticating on the packet.
29. The method as recited in claim 1, wherein the hash is calculated utilizing an order-dependent XOR checksum with rotate operation.
30. The method as recited in claim 1, wherein when an authenticated packet is received that does not have a matching hash, the transport offload engine generates an exception and limits Internet security association and key management protocol (ISAKMP) establishment with a source IP address associated with the authenticated packet.
31. The method as recited in claim 1, wherein the hash of the security service based on the packet is calculated utilizing a security association, an ordered list of security association handles, and a plurality of IP headers.
32. The method as recited in claim 31, wherein the hash of the security service is calculated by: setting an initial hash value to 0;calculating a first rotate-left value by performing a rotate-left operation on the initial hash value;calculating a first random value utilizing a first of the plurality of IP headers and a first of the security association handles associated with the first of the plurality of IP headers;calculating a first hash value by performing an XOR operation between the first rotate-left value and the first random value;calculating a second rotate-left value by performing a rotate-left operation on the first hash value;calculating a second random value utilizing a second of the plurality of IP headers and a second of the security association handles associated with the second of the plurality of IP headers;calculating a second hash value by performing an XOR operation between the second rotate-left value and the second random value;calculating a third rotate-left value by performing a rotate-left operation on the second hash value;calculating a third random value utilizing an inner IP header of the plurality of IP headers and a third of the security association handles associated with the inner IP header of the plurality of IP headers;calculating a third hash value by performing an XOR operation between the third rotate-left value and the third random value;calculating a fourth rotate-left value by performing a rotate-left operation on the third hash value;calculating a fourth random value utilizing a fourth of the plurality of the IP headers and a fourth of the security association handles associated with the fourth of the plurality of IP headers; andcalculating the hash by performing an XOR operation between the fourth rotate-left value and the fourth random value.
33. A transport offload engine sub-system, comprising: a transport offload engine, which includes a tangible circuit, in communication with a hardware processor and a network, the transport offload engine for: receiving a packet,decrypting and authenticating the packet, the decrypting utilizing an Internet Protocol Security (IPSec) transformation,calculating a hash of a security service based on the packet,determining whether the packet is a SYN packet,in response to a determination that the packet is a SYN packet, sending the SYN packet to a processor, sending the IPSec transformation to the processor, and sending the hash to the processor for performing IPSec policy checking of the SYN packet and determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor,in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash, the control block for network socket management,generating the SYN/ACK packet based on the SYN packet, andsending the SYN/ACK packet.
34. A system, comprising: a hardware processor; anda transport offload engine in communication with the hardware processor and a network via a bus, the transport offload engine for: receiving a packet,decrypting and authenticating the packet, the decrypting utilizing an Internet Protocol Security (IPSec) transformation,calculating a hash of a security service based on the packet,determining whether the packet is a SYN packet,in response to a determination that the packet is a SYN packet: sending the SYN packet from the transport offload engine to the processor,sending the IPSec transformation from the transport offload engine to the processor, andsending the hash from the transport offload engine to the processor,in response to a determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash, the control block for network socket management,generating the SYN/ACK packet based on the SYN packet, andsending the SYN/ACK packet;wherein the hardware processor is operable to: perform IPSec policy checking of the SYN packet, anddetermine that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking.
35. A computer program product embodied on a non-transitory computer readable medium for validating a security service associated with packets communicated on a network, comprising: computer code for receiving a packet at a transport offload engine;computer code for decrypting and authenticating the packet utilizing the transport offload engine, the decrypting utilizing an Internet Protocol Security (IPSec) transformation;computer code for calculating a hash of a security service based on the packet, utilizing the transport offload engine;computer code for determining whether the packet is a SYN packet utilizing the transport offload engine;computer code for, in response to a determination that the packet is a SYN packet: sending the SYN packet from the transport offload engine to a processor,sending the IPSec transformation from the transport offload engine to the processor, andsending the hash from the transport offload engine to the processor;computer code for performing IPSec policy checking of the SYN packet utilizing the processor;computer code for determining that the SYN packet and a connection related to the SYN packet are allowed based on the IPSec policy checking, utilizing the processor;computer code for, in response to the determination that the SYN packet and the related connection are allowed, and prior to generating a SYN/ACK packet, generating a control block including the hash utilizing the transport offload engine, the control block for network socket management;computer code for generating the SYN/ACK packet based on the SYN packet, utilizing the transport offload engine; andcomputer code for sending the SYN/ACK packet utilizing the transport offload engine.

US Referenced Citations (231)

Number	Name	Date	Kind
212889	Bridenthal, Jr. et al.	Mar 1879	A
4807111	Cohen et al.	Feb 1989	A
4839851	Maki	Jun 1989	A
4965716	Sweeney	Oct 1990	A
4991133	Davis et al.	Feb 1991	A
5012489	Burton et al.	Apr 1991	A
5056058	Hirata et al.	Oct 1991	A
5058110	Beach et al.	Oct 1991	A
5161193	Lampson et al.	Nov 1992	A
5163131	Row et al.	Nov 1992	A
5307413	Denzer	Apr 1994	A
5426694	Herbert	Jun 1995	A
5430727	Callon	Jul 1995	A
5440551	Suzuki	Aug 1995	A
5442637	Nguyen	Aug 1995	A
5448558	Gildea et al.	Sep 1995	A
5455599	Cabral et al.	Oct 1995	A
5485460	Schrier et al.	Jan 1996	A
5495480	Yoshida	Feb 1996	A
5499353	Kadlec et al.	Mar 1996	A
5513324	Dolin, Jr. et al.	Apr 1996	A
5519704	Farinacci et al.	May 1996	A
5544357	Huei	Aug 1996	A
5546453	Hebert	Aug 1996	A
5566170	Bakke et al.	Oct 1996	A
5577105	Baum et al.	Nov 1996	A
5577172	Vatland et al.	Nov 1996	A
5577237	Lin	Nov 1996	A
5581686	Koppolu et al.	Dec 1996	A
5596702	Stucka et al.	Jan 1997	A
5598410	Stone	Jan 1997	A
5619650	Bach et al.	Apr 1997	A
5621434	Marsh	Apr 1997	A
5625678	Blomfield-Brown	Apr 1997	A
5625825	Rostoker et al.	Apr 1997	A
5634015	Chang et al.	May 1997	A
5636371	Yu	Jun 1997	A
5640394	Schrier et al.	Jun 1997	A
5650941	Coelho et al.	Jul 1997	A
5663951	Danneels et al.	Sep 1997	A
5664162	Dye	Sep 1997	A
5666362	Chen et al.	Sep 1997	A
5675507	Bobo, II	Oct 1997	A
5678060	Yokoyama et al.	Oct 1997	A
5680605	Torres	Oct 1997	A
5687314	Osman et al.	Nov 1997	A
5696899	Kalwitz	Dec 1997	A
5699350	Kraslavsky	Dec 1997	A
5701316	Alferness et al.	Dec 1997	A
5717691	Dighe et al.	Feb 1998	A
5727149	Hirata et al.	Mar 1998	A
5734852	Zias et al.	Mar 1998	A
5734865	Yu	Mar 1998	A
5748905	Hauser et al.	May 1998	A
5754540	Liu et al.	May 1998	A
5754556	Ramseyer et al.	May 1998	A
5761281	Baum et al.	Jun 1998	A
5778178	Arunachalam	Jul 1998	A
5790546	Dobbins et al.	Aug 1998	A
5790676	Ganesan et al.	Aug 1998	A
5802287	Rostoker et al.	Sep 1998	A
5802306	Hunt	Sep 1998	A
5805816	Picazo, Jr. et al.	Sep 1998	A
5809235	Sharma et al.	Sep 1998	A
5815516	Aaker et al.	Sep 1998	A
5818935	Maa	Oct 1998	A
5826032	Finn et al.	Oct 1998	A
5828880	Hanko	Oct 1998	A
5854750	Phillips et al.	Dec 1998	A
5870549	Bobo, II	Feb 1999	A
5870622	Gulick et al.	Feb 1999	A
5872919	Wakeland	Feb 1999	A
5877764	Feitelson et al.	Mar 1999	A
5894557	Bade et al.	Apr 1999	A
5909546	Osborne	Jun 1999	A
5918051	Savitzky et al.	Jun 1999	A
5920732	Riddle	Jul 1999	A
5923892	Levy	Jul 1999	A
5935268	Weaver	Aug 1999	A
5937169	Connery et al.	Aug 1999	A
5941988	Bhagwat et al.	Aug 1999	A
5943481	Wakeland	Aug 1999	A
5946487	Dangelo	Aug 1999	A
5966534	Cooke et al.	Oct 1999	A
5968161	Southgate	Oct 1999	A
5974518	Nogradi	Oct 1999	A
5991299	Radogna et al.	Nov 1999	A
5999974	Ratcliff et al.	Dec 1999	A
6014699	Ratcliff et al.	Jan 2000	A
6016511	Cook	Jan 2000	A
6034963	Minami et al.	Mar 2000	A
6046980	Packer	Apr 2000	A
6049857	Watkins	Apr 2000	A
6061368	Hitzelberger	May 2000	A
6061742	Stewart et al.	May 2000	A
6067407	Wadsworth et al.	May 2000	A
6076115	Sambamurthy et al.	Jun 2000	A
6078736	Guccione	Jun 2000	A
6081846	Hyder et al.	Jun 2000	A
6092110	Maria et al.	Jul 2000	A
6092229	Boyle et al.	Jul 2000	A
6098188	Kalmanek, Jr. et al.	Aug 2000	A
6101543	Alden et al.	Aug 2000	A
6122670	Bennet et al.	Sep 2000	A
6141705	Anand et al.	Oct 2000	A
6151625	Swales et al.	Nov 2000	A
6157955	Narad et al.	Dec 2000	A
6172980	Flanders et al.	Jan 2001	B1
6172990	Deb et al.	Jan 2001	B1
6173333	Jolitz et al.	Jan 2001	B1
6182228	Boden	Jan 2001	B1
6185619	Joffe et al.	Feb 2001	B1
6208651	Van Renesse et al.	Mar 2001	B1
6212560	Fairchild	Apr 2001	B1
6226680	Boucher et al.	May 2001	B1
6230193	Arunkumar et al.	May 2001	B1
6233626	Swales et al.	May 2001	B1
6247060	Boucher et al.	Jun 2001	B1
6247068	Kyle	Jun 2001	B1
6253321	Nikander et al.	Jun 2001	B1
6272639	Holden et al.	Aug 2001	B1
6327625	Wang et al.	Dec 2001	B1
6330248	Krishna et al.	Dec 2001	B1
6330659	Poff et al.	Dec 2001	B1
6334153	Boucher et al.	Dec 2001	B2
6341129	Schroeder et al.	Jan 2002	B1
6345301	Burns et al.	Feb 2002	B1
6347347	Brown et al.	Feb 2002	B1
6370599	Anand et al.	Apr 2002	B1
6389479	Boucher et al.	May 2002	B1
6389537	Davis et al.	May 2002	B1
6393487	Boucher et al.	May 2002	B2
6397316	Fesas, Jr.	May 2002	B2
6427169	Elzur	Jul 2002	B1
6427171	Craft et al.	Jul 2002	B1
6427173	Boucher et al.	Jul 2002	B1
6430628	Conner	Aug 2002	B1
6434620	Boucher et al.	Aug 2002	B1
6460080	Shah et al.	Oct 2002	B1
6470415	Starr et al.	Oct 2002	B1
6530061	Labatte	Mar 2003	B1
6591302	Boucher et al.	Jul 2003	B2
6609225	Ng	Aug 2003	B1
6629141	Elzur et al.	Sep 2003	B2
6658480	Boucher et al.	Dec 2003	B2
6687758	Craft et al.	Feb 2004	B2
6697868	Craft et al.	Feb 2004	B2
6751665	Philbrick et al.	Jun 2004	B2
6757746	Boucher et al.	Jun 2004	B2
6789147	Kessler et al.	Sep 2004	B1
6807581	Starr et al.	Oct 2004	B1
6820117	Johnson	Nov 2004	B1
6882624	Ma	Apr 2005	B1
6915426	Carman et al.	Jul 2005	B1
6938092	Burns	Aug 2005	B2
6941386	Craft et al.	Sep 2005	B2
6965941	Boucher et al.	Nov 2005	B2
6996070	Starr et al.	Feb 2006	B2
7013482	Krumel	Mar 2006	B1
7042898	Blightman et al.	May 2006	B2
7340549	Hoese et al.	Mar 2008	B2
20010021949	Blightman et al.	Sep 2001	A1
20010023460	Boucher et al.	Sep 2001	A1
20010027496	Boucher et al.	Oct 2001	A1
20010036196	Blightman et al.	Nov 2001	A1
20010037397	Boucher et al.	Nov 2001	A1
20010037406	Philbrick et al.	Nov 2001	A1
20010047433	Boucher et al.	Nov 2001	A1
20020055993	Shah et al.	May 2002	A1
20020085562	Hufferd et al.	Jul 2002	A1
20020087732	Boucher et al.	Jul 2002	A1
20020091844	Craft et al.	Jul 2002	A1
20020095519	Philbrick et al.	Jul 2002	A1
20020120899	Gahan et al.	Aug 2002	A1
20020147839	Boucher et al.	Oct 2002	A1
20020156927	Boucher et al.	Oct 2002	A1
20020161919	Boucher et al.	Oct 2002	A1
20020163888	Grinfeld	Nov 2002	A1
20030005142	Elzur et al.	Jan 2003	A1
20030005143	Elzur et al.	Jan 2003	A1
20030014544	Pettey	Jan 2003	A1
20030014624	Maturana et al.	Jan 2003	A1
20030016669	Pfister et al.	Jan 2003	A1
20030031172	Grinfeld	Feb 2003	A1
20030037237	Abgrall et al.	Feb 2003	A1
20030046330	Hayes	Mar 2003	A1
20030046418	Raval et al.	Mar 2003	A1
20030056009	Mizrachi et al.	Mar 2003	A1
20030058870	Mizrachi et al.	Mar 2003	A1
20030061505	Sperry et al.	Mar 2003	A1
20030066011	Oren	Apr 2003	A1
20030079033	Craft et al.	Apr 2003	A1
20030081600	Blaker et al.	May 2003	A1
20030084185	Pinkerton	May 2003	A1
20030095567	Lo et al.	May 2003	A1
20030108033	Raisanen et al.	Jun 2003	A1
20030115350	Uzrad-Nali et al.	Jun 2003	A1
20030115417	Corrigan	Jun 2003	A1
20030128704	Mizrachi et al.	Jul 2003	A1
20030140124	Burns	Jul 2003	A1
20030145101	Mitchell et al.	Jul 2003	A1
20030145270	Holt	Jul 2003	A1
20030161327	Vlodavsky et al.	Aug 2003	A1
20030167346	Craft et al.	Sep 2003	A1
20030200284	Philbrick et al.	Oct 2003	A1
20040003126	Boucher et al.	Jan 2004	A1
20040054813	Boucher et al.	Mar 2004	A1
20040062246	Boucher et al.	Apr 2004	A1
20040064578	Boucher et al.	Apr 2004	A1
20040064589	Boucher et al.	Apr 2004	A1
20040064590	Starr et al.	Apr 2004	A1
20040073703	Boucher et al.	Apr 2004	A1
20040078462	Philbrick et al.	Apr 2004	A1
20040088262	Boucher et al.	May 2004	A1
20040100952	Boucher et al.	May 2004	A1
20040111535	Boucher et al.	Jun 2004	A1
20040117509	Craft et al.	Jun 2004	A1
20040158640	Philbrick et al.	Aug 2004	A1
20040158793	Blightman et al.	Aug 2004	A1
20040240435	Boucher et al.	Dec 2004	A1
20050122986	Starr et al.	Jun 2005	A1
20050141561	Craft et al.	Jun 2005	A1
20050160139	Boucher et al.	Jul 2005	A1
20050175003	Craft et al.	Aug 2005	A1
20050182841	Sharp	Aug 2005	A1
20050198198	Craft et al.	Sep 2005	A1
20050204058	Philbrick et al.	Sep 2005	A1
20050278459	Boucher et al.	Dec 2005	A1
20060010238	Craft et al.	Jan 2006	A1
20070062245	Fuller et al.	Mar 2007	A1
20070253430	Minami et al.	Nov 2007	A1

Foreign Referenced Citations (35)

Number	Date	Country
4595297	May 1998	AU
7364898	Nov 1998	AU
4435999	Dec 1999	AU
723724	Sep 2000	AU
0070603	Mar 2001	AU
734115	Jun 2001	AU
0741089	Nov 2001	AU
0228874	May 2002	AU
2265692	May 1998	CA
2287413	Nov 1998	CA
2328829	Dec 1999	CA
2265692	Aug 2001	CA
1237295	Dec 1999	CN
1266512	Sep 2000	CN
1305681	Jul 2001	CN
3022159	Jan 1991	JP
3273350	Dec 1991	JP
5183603	Jul 1993	JP
6309251	Nov 1994	JP
2000235536	Aug 2000	JP
447205	Jul 2001	TW
448407	Aug 2001	TW
WO9821655	May 1998	WO
9835480	Aug 1998	WO
WO 9850852	Nov 1998	WO
WO 9965219	Dec 1999	WO
WO 0113583	Feb 2001	WO
WO 0128179	Apr 2001	WO
0227519	Apr 2002	WO
WO 0239302	May 2002	WO
WO 02059757	Aug 2002	WO
WO 02086674	Oct 2002	WO
WO 03021443	Mar 2003	WO
WO 03021447	Mar 2003	WO
WO 03021452	Mar 2003	WO

Integrated policy checking system and method

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

US Classifications

Field of Search

US

International Classifications

Term Extension

Abstract

Description

Claims

US Referenced Citations (231)

Foreign Referenced Citations (35)