The instant disclosure relates to computer networks. More specifically, this disclosure relates to securing computer networks.
Internet Protocol Security (IPsec) is a complex set of protocols, defined by IETF standards, that provides network layer security by encrypting, decrypting, and authenticating Internet protocol (IP) packets. However, IPsec is a relatively new protocol, compared to the Internet Protocol (IP). Thus, existing devices may support IP communications, but not IPsec communications. These devices may be introduced into secure networks and a method and system may be desired to allow these IP devices to interact through IPsec in a secure network.
IPsec and IKE processing may be off-loaded from the devices to an IPSec front-end. The IPsec front-end creates a border between a non-secure network containing the IP device and a secure network containing IPsec devices. To an IPSec peer, the host system will appear to support IPSec and IKE protocols, while to the hosted device(s), a peer will seem to be sending traffic in the clear. The IPSec front-end may have no IP addresses assigned to its interfaces, and thus may be considered part of the attached hosts rather than a separate device.
According to one embodiment, a method includes receiving, by an IPSec front-end, clear text data formatted in an internet protocol (IP) packet from a host. The method also includes stripping, by the IPSec front-end, of network addressing information from the clear text data. The method further includes encrypting and authenticating, by the IPSec front-end, the clear text data. The method also includes formatting, by the IPSec front-end, the encrypted data into a secure IP (IPsec) packet by reattaching of the previously stripped network addressing information.
According to another embodiment, a computer program product including a non-transitory computer-readable medium having code to receive, by the IPSec front-end, clear text data formatted in an internet protocol (IP) packet from a host. The medium also includes code to strip, by the IPSec front-end, network information from the clear text data. The medium further includes code to encrypt and authenticate, by the IPSec front-end, the clear text data. The medium also includes code to format, by the IPSec front-end, the encrypted data into a secure IP (IPsec) packet.
According to yet another embodiment, an apparatus includes a memory, a network interface, and a processor coupled to the memory and the network interface. The processor is configured to receive, through the network interface, clear text data formatted in an internet protocol (IP) packet from a host. The processor is also configured to strip, through the network interface, network address information from the clear text data. The processor is further configured to encrypt and authenticate, through the network interface, the clear text data. The processor is also configured to format, through the network interface, the encrypted data into a secure IP (IPsec) packet.
According to one embodiment, a method includes receiving, by an IPSec front-end, encrypted and authenticated IPsec messages formatted in an interim protocol (IP) packet from a network peer. The method also includes stripping, by the IPsec front-end, of network addressing information from the network input. The method further includes decrypting and authenticating network input, by the IPsec front-end, and reformatting the data into a clear text packet by reattaching the previously stripped network addressing information to the data.
According to another embodiment, a computer program product includes a computer-readable memory having code to receive, by an IPSec front-end, encrypted and authenticated IPsec messages formatted in an internet protocol (IP) packet from a network peer. The medium also includes code to strip, by the IPsec front-end, of network addressing information from the network input. The medium further includes code to decrypt and authenticate network input, by the IPsec front-end, and reformat the data into a clear text packet by reattaching the previously stripped network addressing information to the data.
According to yet another embodiment, an apparatus includes a memory, a network interface operating as an IPsec front-end, and a processor coupled to the memory and the network interface. The processor is configured to receive, by the IPSec front-end, encrypted and authenticated IPsec messages formatted in an internet protocol (IP) packet from a network peer. The processor is also configured to strip, by the IPsec front-end, of network addressing information from the network input. The processor is further configured to decrypt and authenticate network input, by the IPsec front-end, and reformat the data into a clear text packet by reattaching the previously stripped network addressing information to the data.
The foregoing has outlined rather broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows may be better understood. Additional features and advantages of the invention will be described hereinafter that form the subject of the claims of the invention. It should be appreciated by those skilled in the art that the conception and specific embodiment disclosed may be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present invention. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the appended claims. The novel features that are believed to be characteristic of the invention, both as to its organization and method of operation, together with further objects and advantages will be better understood from the following description when considered in connection with the accompanying figures. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended as a definition of the limits of the present invention.
For a more complete understanding of the disclosed system and methods, reference is now made to the following descriptions taken in conjunction with the accompanying drawings.
In one embodiment, traffic is not addressed to an interface on the bridge 102. That is, the bridge 102 may have no IP addresses, IP route or neighbor tables pertaining to the bridged interfaces 104 and 106. The host 104 may determine the destination IP and media access (MAC) addresses without knowledge of the bridge 102. The bridge 102 may snoop incoming and/or outgoing packets to the host-side 110 to determine MAC and/or IP addresses and identify packets for IPsec conversion.
According to another embodiment, the IPSec front-end 102 may be assigned a broadcast destination MAC address to receive communications from the host 104. For example, control messages may be transmitted from the host-side 110 having the broadcast destination MAC address. Control messages may include, for example, messages setting new policies for determining packets to encrypt and reformat at IPsec packets.
All traffic not specified to be encrypted between the host-side 110 and the network-side 120 may be passed through the IPSec front-end transparently. A policy configured on the bridge 102 may specify particular traffic as PROTECT (to encrypt/decrypt traffic), DROP (to ignore traffic) or PASS (to transparently relay traffic). For example, IPv6 unicast traffic may be configured as PROTECT. According to one embodiment, neighbor discovery protocol packets may be passed transparently through the bridge 102.
When a packet is identified as PROTECT, the IPSec front-end 102 may split Ethernet headers from the received packet, whether received from both the network-side 120 of the host-side 110. Then, IPsec processing may be performed on the packet. For example, IPsec may be removed from packets on reception from the network-side 120 and applied to packets on reception from the host-side 110. After the data is encrypted or decrypted, the Ethernet headers and addresses may be reapplied and the packet forwarded.
At block 204, network address information is stripped, by the bridge, from the clear text data received from the host. At block 206, the data is encrypted and authenticated by the IPSec front-end. At block 208, the encrypted data is formatted, by the IPSec bridge, into a secure IP packet.
A special address, such as 127.0.0.10, may be configured as a DNS server address within the IPSec front-end 102. This address and/or UDP port 53 may be trapped within the IPSec front-end 102, such as by a kernel of the host operating system, and the message passed to Ethernet interface 402 along with a new ethertype value and a broadcast MAC address. According to one embodiment, the special address may be a loopback address.
Because the IPSec front-end 102 strips IP headers, the host 104 may not be aware of settings on the network-side of the IPSec front-end 102. As a result, the host 104 may transmit packets that exceed a maximum transmission unit (MTU) size of the secure network.
Other networks between the IPSec front-end 102 and a peer may have smaller MTU values not known to the IPSec front-end 102 or the host 104.
According to one embodiment, the IPSec front-end 102 may maintain PMTU data within IPsec security association (SA) tables and signal the host 104 an MTU size to use via an ICMP ‘too-big’ message. The IPSec front-end 102 may age and update path MTU (PMTU) size variables to discover if the PMTU is smaller than available by current network conditions. The host 104 may store MTU values on a connection-by-connection basis, based on messages received from the IPSec front-end 102. When an ICMP message-too-big is received by the host 104, the MTU value may be updated on the entry for a particular connection on an interface.
In one embodiment, the user interface device 710 is referred to broadly and is intended to encompass a suitable processor-based device such as a desktop computer, a laptop computer, a personal digital assistant (PDA) or tablet computer, a smartphone or other a mobile communication device having access to the network 708. In a further embodiment, the user interface device 710 may access the Internet or other wide area or local area network to access a web application or web service hosted by the server 702 and may provide a user interface for enabling a user to modify policy information for a IPSec front-end.
The network 708 may facilitate communications of data between the server 702 and the user interface device 710. The network 708 may include any type of communications network including, but not limited to, a direct PC-to-PC connection, a local area network (LAN), a wide area network (WAN), a modem-to-modem connection, the Internet, a combination of the above, or any other communications network now known or later developed within the networking arts which permits two or more computers to communicate.
The computer system 80( )also may include random access memory (RAM) 808, which may be synchronous RAM (SRAM), dynamic RAM (DRAW, synchronous dynamic RAM (SDRAM), or the like. The computer system 800 may utilize RAM 808 to store the various data structures used by a software application. The computer system 800 may also include read only memory (ROM) 806 which may be PROM, EPROM, EEPROM, optical storage, or the like. The ROM may store configuration information for booting the computer system 800. The RAM 808 and the ROM 806 hold user and system data, and both the RAM 808 and the ROM 806 may be randomly accessed.
The computer system 800 may also include an input/output (I/O) adapter 810, a communications adapter 814, a user interface adapter 816, and a display adapter 822. The I/O adapter 810 and/or the user interface adapter 816 may, in certain embodiments, enable a user to interact with the computer system 800. In a further embodiment, the display adapter 822 may display a graphical user interface (GUI) associated with a software or web-based application on a display device 824, such as a monitor or touch screen.
I/O adapter 810 may couple one or more storage devices 812, such as one or more of a hard drive, a solid state storage device, a flash drive, a compact disc (CD) drive, a yfloppy disk drive, and a tape drive, to the computer system 800. According to one embodiment, the data storage 812 may be a separate server coupled to the computer system 800 through a network connection to the I/O adapter 810. The communications adapter 814 may be adapted to couple the computer system 800 to the network 708, which may be one or more of a LAN, WAN, and/or the Internet. The user interface adapter 816 couples user input devices, such as a keyboard 820, a pointing device 818, and/or a touch screen (not shown) to the computer system 800. The keyboard 820 may be an on-screen keyboard displayed on a touch panel. The display adapter 822 may be driven by the CPU 802 to control the display on the display device 824. Any of the devices 802-822 may be physical and/or logical.
The applications of the present disclosure are not limited to the architecture of computer system 800. Rather the computer system 800 is provided as an example of one type of computing device that may be adapted to perform the functions of the server 702 and/or the user interface device 710. For example, any suitable processor-based device may be utilized including, without limitation, personal data assistants (PDAs), tablet computers, smartphones, computer game consoles, and multi-processor servers. Moreover, the systems and methods of the present disclosure may be implemented on application specific integrated circuits (ASIC), very large scale integrated (VLSI) circuits, or other circuitry. In fact, persons of ordinary skill in the art may utilize any number of suitable structures capable of executing logical operations according to the described embodiments. For example, the computer system 800 may be virtualized for access by multiple users and/or applications.
In another example, hardware in a computer system may be virtualized through a hypervisor.
If implemented in firmware and/or software, the functions described above may be stored as one or more instructions or code on a computer-readable medium. Examples include non-transitory computer-readable media encoded with a data structure and computer-readable media encoded with a computer program. Computer-readable media includes physical computer storage media. A storage medium may be any available medium that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. Disk and disc includes compact discs (CD), laser discs, optical discs, digital versatile discs (DVD), floppy disks and blu-ray discs. Generally, disks reproduce data magnetically, and discs reproduce data optically. Combinations of the above should also be included within the scope of computer-readable media.
In addition to storage on computer readable medium, instructions and/or data may be provided as signals on transmission media included in a communication apparatus. For example, a communication apparatus may include a transceiver having signals indicative of instructions and data. The instructions and data are configured to cause one or more processors to implement the functions outlined in the claims.
Although the present disclosure and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the disclosure as defined by the appended claims. Moreover, the scope of the present application is not intended to be limited to the particular embodiments of the process, machine, manufacture, composition of matter, means, methods and steps described in the specification. As one of ordinary skill in the art will readily appreciate from the present invention, disclosure, machines, manufacture, compositions of matter, means, methods, or steps, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding embodiments described herein may be utilized according to the present disclosure. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or steps.