CA2452052A1 - Virtual private network mechanism incorporating security association processor - Google Patents

Virtual private network mechanism incorporating security association processor Download PDF

Info

Publication number
CA2452052A1
CA2452052A1 CA002452052A CA2452052A CA2452052A1 CA 2452052 A1 CA2452052 A1 CA 2452052A1 CA 002452052 A CA002452052 A CA 002452052A CA 2452052 A CA2452052 A CA 2452052A CA 2452052 A1 CA2452052 A1 CA 2452052A1
Authority
CA
Canada
Prior art keywords
security
security association
circuit according
circuit
socket
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002452052A
Other languages
French (fr)
Other versions
CA2452052C (en
Inventor
Yaniv Shafira
Drory Shohat
Moshe Zezak
Niv Gilboa
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telecom Italia SpA
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2452052A1 publication Critical patent/CA2452052A1/en
Application granted granted Critical
Publication of CA2452052C publication Critical patent/CA2452052C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Abstract

A novel and useful virtual private network (VPN) mechanism and related security association processor for maintaining the necessary security relate d parameters to perform security functions such as encryption, decryption and authentication. A security association database (SAD) and related circuitry is adapted to provide the necessary parameters to implement the IPSec group of security specifications for encryption/decryption and authentication. Each security association (SA) entry in the database comprises all the parameters that are necessary to receive and transmit VPN packets according to the IPSe c specification.

Claims (78)

1. A security association processor circuit, comprising:

a security association database for storing security related data for a plurality of security associations, each entry comprising security association related data corresponding to a unique socket;

means for opening a new security association upon receipt of a socket not found in said security association database;

means for searching for and recognizing a security association associated with a packet in accordance with its socket;

means for retrieving from said security association database a plurality of security related parameters; and means for forwarding said plurality of security related parameters to a Virtual Private Networking (VPN) security processor for performing one or more security processes therewith.
2. The circuit according to claim 1, further comprising means for updating the contents of said security association database in accordance with results of said security processes.
3. The circuit according to claim 1, wherein parameters associated with said security association are configured by an entity external to said circuit and wherein said circuit comprises means for storing in said security association database security related data corresponding to said new security association in said security association database and a hash value calculated on the socket associated with said new security association.
4. The circuit according to claim 1, wherein said security association is opened by an entity external to said circuit and wherein said circuit comprises means for inserting a pointer to said new security association in a Least Recently Used (LRU) linked list.
5. The circuit according to claim 1, further comprising means for removing unused security associations from said security association database.
6. The circuit according to claim 1, further comprising means for removing unused security associations from said security association database upon exceeding a maximum timeout.
7. The circuit according to claim 1, further comprising means for removing unused security associations from said security association database upon exceeding a maximum byte count.
8. The circuit according to claim 1, wherein said means for searching for and recognizing a security association comprises:

means for calculating a hash value on the socket associated with the security association to be recognized;

means for looking up a hash pointer in a hash table using hash result as an index;

means for retrieving data from said security association database in accordance with said hash pointer; and means for recognizing said security association if the retrieved data matches the socket associated with the packet.
9. The circuit according to claim 1, wherein said VPN security processor comprises means for performing encryption.
10. The circuit according to claim 1, wherein said VPN security processor comprises means for performing decryption.
11. The circuit according to claim 1, wherein said VPN security processor comprises means for performing authentication.
12. The circuit according to claim 1, wherein said VPN security processor comprises means for performing an IPSec specified service.
13. The circuit according to claim 1, further comprising means for applying an anti-replay mechanism to inbound packets.
14. The circuit according to claim 1, further comprising means for tracking sequence number of inbound packets.
15. The circuit according to claim 1, further comprising means for establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used security associations are stored at the tail and least recently used security associations are stored at the head.
16. The circuit according to claim 15, wherein in the event said LRU list is full, the security associations at the head is deleted and a new security association is added to the tail.
17. The circuit according to claim 1, wherein said socket comprises a Security Parameter Index (SPI), remote IP and Protocol components.
18. The circuit according to claim 1, wherein said security association related data comprises any one or combination of the following values: IPSec mode, encryption algorithm, encryption key.
19. The circuit according to claim 1, wherein said security association related data comprises any one or combination of the following values: IPSec mode, authentication algorithm, authentication key.
20. The circuit according to claim 1, further comprising means for rejecting said packet if an error is received from said VPN security processor.
21. The circuit according to claim 1, wherein said circuit is implemented in an Application Specific Integrated Circuit (ASIC).
22. The circuit according to claim 1, wherein said circuit is implemented in a Field Programmable Gate Array (FPGA).
23. The circuit according to claim 1, wherein said circuit is implemented in a Digital Signal Processor (DSP).
24. A Virtual Private Network (VPN) circuit, comprising:

security association database means for storing security related data for a plurality of security associations, each entry comprising security association related data corresponding to a unique socket;

a plurality of security engines, each security engine adapted to perform a security process;

means for opening a new security association upon receipt of a socket not found in said security association database means;

means for searching for and recognizing a security association associated with an input packet in accordance with its socket;

means for retrieving from said security association database means a plurality of security related parameters;

means for forwarding said plurality of security related parameters to at least one of said security engines for performing a security process therewith; and packet building means adapted to construct an output packet in accordance with a particular security mode utilizing said input packet and the results of said security process.
25. The circuit according to claim 24, wherein at least one of said security engines is adapted to implement IPSec tunnel mode services.
26. The circuit according to claim 24, wherein at least one of said security engines is adapted to implement IPSec transport mode services.
27. The circuit according to claim 24, wherein at least one said security engine is adapted to perform encryption.
28. The circuit according to claim 24, wherein at least one said security engine is adapted to perform decryption.

28. The circuit according to claim 24, wherein at least one said security engine is adapted to perform authentication.
29. The circuit according to claim 24, wherein at least one said security engine is adapted to perform one or more IPSec services.
30. The circuit according to claim 24, wherein said circuit is implemented in an Application Specific Integrated Circuit (ASIC).
31. The circuit according to claim 24, wherein said circuit is implemented in a Field Programmable Gate Array (FPGA).
32. The circuit according to claim 24, wherein said circuit is implemented in a Digital Signal Processor (DSP).
33. A portable computing device, comprising:

communication means adapted to connect said device to a communications network;

memory means comprising volatile and non-volatile memory, said non-volatile memory adapted to store program code;

a processor coupled to said memory means and said communication means for executing said program code; and a Virtual Private Network (VPN) circuit, comprising:

security association database means for storing security related data for a plurality of security associations, each entry comprising security association related data corresponding to a unique socket;

a plurality of security engines, each security engine adapted to perform a security process;

means for opening a new security association upon receipt of a socket not found in said security association database means;

means for searching for and recognizing a security association associated with an input packet in accordance with its socket;

means for retrieving from said security association database means a plurality of security related parameters;

means for forwarding said plurality of security related parameters to at least one of said security engines for performing a security process therewith;

packet building means adapted to construct an output packet in accordance with a particular security mode utilizing said input packet and the results of said security process.
34. The device according to claim 33, wherein said communications network comprises a Wide Area Network (WAN).
35. The device according to claim 33, wherein said communications network comprises a Local Area Network (LAN).
36. The device according to claim 33, wherein said communications network comprises the Internet.
37. The device according to claim 33, wherein said communications network comprises a Public Switched Telephone Network (PSTN).
38. The circuit according to claim 33, wherein at least one of said security engines is adapted to perform encryption.
39. The circuit according to claim 33, wherein at least one of said security engines is adapted to perform decryption.
40. The circuit according to claim 33, wherein at least one of said security engines is adapted to perform authentication.
41. The circuit according to claim 33, wherein at least one of said security engines is adapted to perform an IPSec service.
42. The circuit according to claim 33, wherein said VPN circuit is implemented in an Application Specific Integrated Circuit (ASIC).
43. The circuit according to claim 33, wherein said VPN circuit is implemented in a Field Programmable Gate Array (FPGA).
44. The circuit according to claim 33, wherein said VPN circuit is implemented in a Digital Signal Processor (DSP).
45. A security association processor circuit, comprising:

a security association database for storing security related data for a plurality of security associations, each entry comprising security association related data corresponding to a unique socket;

a management unit adapted to open a new security association upon receipt of a socket not found in said security association database;

a recognition unit adapted to search for and recognize a security association associated with an input packet in accordance with its socket;

a main processor unit adapted to retrieve from said security association database a plurality of security related parameters and forward them to a Virtual Private Networking (VPN) security processor for performing one or more security processes therewith; and a hash unit comprising a hash function and associated hash table for facilitating the search for stored security associations.
46. The circuit according to claim 45, further comprising a least recently used (LRU) linked list adapted to provide a listing of the frequency of use of said security associations stored in said security association database.
47. The circuit according to claim 45, further comprising a packet builder adapted to constrict an output packet in accordance with a particular security mode utilizing said input packet and the results of said one or more security processes.
48. The circuit according to claim 45, wherein said VPN security processor comprises means for performing encryption.
49. The circuit according to claim 45, wherein said VPN security processor comprises means for performing decryption.
50. The circuit according to claim 45, wherein said VPN security processor comprises means for performing authentication.
51. The circuit according to claim 45, Wherein said VPN security processor comprises means for performing an IPSec service.
52. The circuit according to claim 45, wherein said circuit is implemented in an Application Specific Integrated Circuit (ASIC).
53. The method according to claim 45, wherein said circuit is implemented in a Field Programmable Gate Array (FPGA).
54. The method according to claim 45, wherein said circuit is implemented in a Digital Signal Processor (DSP).
55. A method of security association, said method comprising the steps of:
establishing a security association database adapted to store security related data for a plurality of security associations, each entry within said security association database corresponding to a socket;
opening a new security association upon receipt of a socket not found in said security association database;
searching for and recognizing a security association associated with a packet in accordance with its socket;

retrieving from said security association database a plurality of security related parameters; and forwarding said plurality of security related parameters to a Virtual Private Networking (VPN) security processor for performing one or more security processes therewith.
56. The method according to claim 55, further comprising the step of updating the contents of said security association database in accordance with results of said security processes.
57. The method according to claim 55, wherein said step of opening a new security association comprises:
storing security related data corresponding to said new security association in said security association database;
calculating a hash value on the socket associated with said new security association;
and storing said hash value in a hash table.
58. The method according to claim 55, wherein said step of opening a new security association comprises inserting a pointer to said new security association in a Least Recently Used (LRU) linked list.
59. The method according to claim 55, further comprising the step of removing unused security associations from said security association database.
60. The method according to claim 55, further comprising the step of removing unused security associations from said security association database upon exceeding a maximum timeout.
61. The method according to claim 55, further comprising the step of removing unused security associations from said security association database upon exceeding a maximum byte count.
62. The method according to claim 55, wherein said step of searching for and recognizing a security association comprises the steps of:

calculating a hash value on the socket associated with the security association to be recognized;
looking up a hash pointer in a hash table using hash result as an index;
retrieving data from said security association database in accordance with said hash pointer; and recognizing said security association if the retrieved data matches the socket associated with the packet.
63. The method according to claim 55, wherein said VPN security processor is adapted to perform encryption.
64. The method according to claim 55, wherein said VPN security processor is adapted to perform decryption.
65. The method according to claim 55, wherein said VPN security processor is adapted to perform authentication.
66. The method according to claim 55, wherein said VPN security processor is adapted to perform an IPSec specified service.
67. The method according to claim 55, further comprising the step of applying an anti-replay mechanism to packets received from a remote network.
68. The method according to claim 55, further comprising the step of tracking sequence numbers of packets received from a remote network.
69. The method according to claim 55, further comprising the step of establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used security associations are stored at the tail and least recently used security associations are stored at the head.
70. The method according to claim 69, wherein in the event said LRU list is full, the security associations at the head is deleted and a new security association is added to the tail.
71. The method according to claim 55, wherein said socket comprises a Security Parameter Index (SPI), remote IP and Protocol components.
72. The method according to claim 55, wherein said security association related data comprises any one or combination of the following values: IPSec mode, encryption algorithm, encryption hey.
73. The method according to claim 55, wherein said security association related data comprises any one or combination of the following values: IPSec mode, authentication algorithm, authentication key.
74. The method according to claim 55, further comprising the step of rejecting said packet if an error is received from said VPN security processor.
75. The method according to claim 55, wherein said method is implemented in an Application Specific Integrated Circuit (ASIC).
76. The method according to claim 55, wherein said method is implemented in a Field Programmable Gate Array (FPGA).
77. The method according to claim 55, wherein said method is implemented in a Digital Signal Processor (DSP).
78. A computer readable storage medium having computer readable program code means embodied therein for causing a suitably programmed computer to a security association mechanism when such program is executed on said computer, said computer readable storage medium comprising:
computer readable program code means for causing said computer to establish a security association database for storing security related data for a plurality of security associations, each entry comprising security association related data corresponding to a unique socket;
computer readable program code means for causing said computer to open a new security association upon receipt of a socket not found in said security association database;
computer readable program code means for causing said computer to search for and recognizing a security association associated with a packet in accordance with its socket;

computer readable prob am code means for causing said computer to retrieve from said security association database a plurality of security related parameters;
and computer readable program code means for causing said computer to forward said plurality of security related parameters to a Virtual Private Networking (VPN) security processor for performing one or more security processes therewith.
CA2452052A 2001-07-10 2002-07-10 Virtual private network mechanism incorporating security association processor Expired - Fee Related CA2452052C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US09/902,770 2001-07-10
US09/902,770 US7107464B2 (en) 2001-07-10 2001-07-10 Virtual private network mechanism incorporating security association processor
PCT/IB2002/002720 WO2003007524A2 (en) 2001-07-10 2002-07-10 Virtual private network mechanism incorporating security association processor

Publications (2)

Publication Number Publication Date
CA2452052A1 true CA2452052A1 (en) 2003-01-23
CA2452052C CA2452052C (en) 2012-11-27

Family

ID=25416373

Family Applications (1)

Application Number Title Priority Date Filing Date
CA2452052A Expired - Fee Related CA2452052C (en) 2001-07-10 2002-07-10 Virtual private network mechanism incorporating security association processor

Country Status (8)

Country Link
US (1) US7107464B2 (en)
EP (1) EP1405452B1 (en)
JP (1) JP4344609B2 (en)
CN (2) CN101494649B (en)
AU (1) AU2002319557A1 (en)
BR (1) BRPI0205727B1 (en)
CA (1) CA2452052C (en)
WO (1) WO2003007524A2 (en)

Families Citing this family (108)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8751647B1 (en) 2001-06-30 2014-06-10 Extreme Networks Method and apparatus for network login authorization
US7856660B2 (en) * 2001-08-21 2010-12-21 Telecommunication Systems, Inc. System for efficiently handling cryptographic messages containing nonce values
DE10142959A1 (en) * 2001-09-03 2003-04-03 Siemens Ag Method, system and computer for negotiating a security relationship on the application layer
GB2370732B (en) * 2001-10-17 2003-12-10 Ericsson Telefon Ab L M Security in communications networks
US7188364B2 (en) 2001-12-20 2007-03-06 Cranite Systems, Inc. Personal virtual bridged local area networks
US7986937B2 (en) * 2001-12-20 2011-07-26 Microsoft Corporation Public access point
US7120791B2 (en) * 2002-01-25 2006-10-10 Cranite Systems, Inc. Bridged cryptographic VLAN
US7246245B2 (en) * 2002-01-10 2007-07-17 Broadcom Corporation System on a chip for network storage devices
US7188365B2 (en) * 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
US7203957B2 (en) * 2002-04-04 2007-04-10 At&T Corp. Multipoint server for providing secure, scaleable connections between a plurality of network devices
JP3700671B2 (en) * 2002-04-10 2005-09-28 横河電機株式会社 Security management system
US7154861B1 (en) * 2002-04-22 2006-12-26 Extreme Networks Method and system for a virtual local area network to span multiple loop free network topology domains
US7937471B2 (en) 2002-06-03 2011-05-03 Inpro Network Facility, Llc Creating a public identity for an entity on a network
US7421736B2 (en) * 2002-07-02 2008-09-02 Lucent Technologies Inc. Method and apparatus for enabling peer-to-peer virtual private network (P2P-VPN) services in VPN-enabled network
US7441262B2 (en) * 2002-07-11 2008-10-21 Seaway Networks Inc. Integrated VPN/firewall system
US8234358B2 (en) 2002-08-30 2012-07-31 Inpro Network Facility, Llc Communicating with an entity inside a private network using an existing connection to initiate communication
US20100138909A1 (en) * 2002-09-06 2010-06-03 O2Micro, Inc. Vpn and firewall integrated system
AU2003268533A1 (en) * 2002-09-06 2004-03-29 O2Micro, Inc. Vpn and firewall integrated system
US20060182083A1 (en) * 2002-10-17 2006-08-17 Junya Nakata Secured virtual private network with mobile nodes
US7441043B1 (en) * 2002-12-31 2008-10-21 At&T Corp. System and method to support networking functions for mobile hosts that access multiple networks
US8364822B2 (en) * 2003-01-31 2013-01-29 Nippon Telegraph And Telephone Corporation VPN communication control device, communication control method in VPN, and virtual dedicated network management device
US7949785B2 (en) * 2003-03-31 2011-05-24 Inpro Network Facility, Llc Secure virtual community network system
US7991751B2 (en) * 2003-04-02 2011-08-02 Portauthority Technologies Inc. Method and a system for information identification
US7325002B2 (en) * 2003-04-04 2008-01-29 Juniper Networks, Inc. Detection of network security breaches based on analysis of network record logs
US20040268124A1 (en) * 2003-06-27 2004-12-30 Nokia Corporation, Espoo, Finland Systems and methods for creating and maintaining a centralized key store
CN1315298C (en) * 2003-07-01 2007-05-09 智邦科技股份有限公司 System and method for synchronous packaging processing
US6988106B2 (en) * 2003-07-09 2006-01-17 Cisco Technology, Inc. Strong and searching a hierarchy of items of particular use with IP security policies and security associations
US7568107B1 (en) * 2003-08-20 2009-07-28 Extreme Networks, Inc. Method and system for auto discovery of authenticator for network login
CN100499451C (en) * 2003-08-26 2009-06-10 中兴通讯股份有限公司 Network communication safe processor and its data processing method
US7350233B1 (en) * 2003-09-12 2008-03-25 Nortel Networks Limited Fast re-establishment of communications for virtual private network devices
FI20031361A0 (en) * 2003-09-22 2003-09-22 Nokia Corp Remote management of IPSec security associations
US7636805B2 (en) * 2003-10-20 2009-12-22 Logitech Europe S.A. Method and apparatus for communicating data between two hosts
US7886057B2 (en) * 2003-10-20 2011-02-08 Logitech Europe S.A. Method and apparatus for communicating data between two hosts
US7464266B2 (en) * 2004-02-13 2008-12-09 Microsoft Corporation Cheap signatures for synchronous broadcast communication
US10375023B2 (en) * 2004-02-20 2019-08-06 Nokia Technologies Oy System, method and computer program product for accessing at least one virtual private network
US8186026B2 (en) * 2004-03-03 2012-05-29 Rockstar Bidco, LP Technique for maintaining secure network connections
US7502474B2 (en) * 2004-05-06 2009-03-10 Advanced Micro Devices, Inc. Network interface with security association data prefetch for high speed offloaded security processing
US20050283604A1 (en) * 2004-06-21 2005-12-22 Ipolicy Networks, Inc., A Delaware Corporation Security association configuration in virtual private networks
US20050283441A1 (en) * 2004-06-21 2005-12-22 Ipolicy Networks, Inc., A Delaware Corporation Efficient policy change management in virtual private networks
CN100385885C (en) * 2004-07-09 2008-04-30 威达电股份有限公司 Safety gateway with SSL protection function and method
US7890992B2 (en) * 2004-08-19 2011-02-15 Cisco Technology, Inc. Method and apparatus for selection of authentication servers based on the authentication mechanisms in supplicant attempts to access network resources
US7624263B1 (en) * 2004-09-21 2009-11-24 Advanced Micro Devices, Inc. Security association table lookup architecture and method of operation
US7543064B2 (en) * 2004-09-30 2009-06-02 Logitech Europe S.A. Multiplayer peer-to-peer connection across firewalls and network address translators using a single local port on the local host
US7565526B1 (en) * 2005-02-03 2009-07-21 Sun Microsystems, Inc. Three component secure tunnel
US8108691B2 (en) * 2005-02-07 2012-01-31 Sandisk Technologies Inc. Methods used in a secure memory card with life cycle phases
US8423788B2 (en) * 2005-02-07 2013-04-16 Sandisk Technologies Inc. Secure memory card with life cycle phases
US8321686B2 (en) * 2005-02-07 2012-11-27 Sandisk Technologies Inc. Secure memory card with life cycle phases
US7769858B2 (en) * 2005-02-23 2010-08-03 International Business Machines Corporation Method for efficiently hashing packet keys into a firewall connection table
US7984495B1 (en) * 2005-03-09 2011-07-19 Sonicwall, Inc. Method and an apparatus to identify security association of virtual private network tunnels
US7738468B2 (en) * 2005-03-22 2010-06-15 Logitech Europe S.A. Method and apparatus for packet traversal of a network address translation device
US8189481B2 (en) * 2005-04-08 2012-05-29 Avaya, Inc QoS-based routing for CE-based VPN
US7748031B2 (en) * 2005-07-08 2010-06-29 Sandisk Corporation Mass storage device with automated credentials loading
US8166547B2 (en) * 2005-09-06 2012-04-24 Fortinet, Inc. Method, apparatus, signals, and medium for managing a transfer of data in a data network
US7536540B2 (en) * 2005-09-14 2009-05-19 Sandisk Corporation Method of hardware driver integrity check of memory card controller firmware
US20070061597A1 (en) * 2005-09-14 2007-03-15 Micky Holtzman Secure yet flexible system architecture for secure devices with flash mass storage memory
ES2314534T3 (en) * 2005-09-20 2009-03-16 Panasonic Corporation PROCEDURE AND DEVICE FOR THE SIGNALING OF SEGMENTATION AND CONCATENATION OF PACKAGES IN A TELECOMMUNICATIONS SYSTEM.
US7783615B1 (en) * 2005-09-30 2010-08-24 Emc Corporation Apparatus and method for building a file system index
US8032745B2 (en) * 2005-12-20 2011-10-04 International Business Machines Corporation Authentication of I2C bus transactions
US8176317B2 (en) * 2006-01-19 2012-05-08 Helius, Inc. System and method for multicasting IPSec protected communications
JP2007208632A (en) * 2006-02-01 2007-08-16 Sony Corp Information processor and information processing method, program, and recording medium
KR100772394B1 (en) * 2006-02-09 2007-11-01 삼성전자주식회사 Method and apparatus for updating ant-reply window of IPSec
US7962652B2 (en) * 2006-02-14 2011-06-14 International Business Machines Corporation Detecting network topology when negotiating IPsec security associations that involve network address translation
US7784086B2 (en) * 2006-03-08 2010-08-24 Panasonic Corporation Method for secure packet identification
US7881470B2 (en) * 2006-03-09 2011-02-01 Intel Corporation Network mobility security management
US7801144B2 (en) * 2006-03-31 2010-09-21 Agere Systems Inc. Switch-based network processor
EP1858218B1 (en) * 2006-05-17 2011-09-14 Deutsche Telekom AG Method and entities for providing call enrichment of voice calls and semantic combination of several service sessions to a virtual combined service session
US8001524B1 (en) * 2006-07-19 2011-08-16 Juniper Networks, Inc. Instruction extension for linked list lookup
US7616508B1 (en) * 2006-08-10 2009-11-10 Actel Corporation Flash-based FPGA with secure reprogramming
US20080072058A1 (en) * 2006-08-24 2008-03-20 Yoram Cedar Methods in a reader for one time password generating device
US20080052524A1 (en) * 2006-08-24 2008-02-28 Yoram Cedar Reader for one time password generating device
US8423794B2 (en) * 2006-12-28 2013-04-16 Sandisk Technologies Inc. Method and apparatus for upgrading a memory card that has security mechanisms for preventing copying of secure content and applications
KR100839941B1 (en) * 2007-01-08 2008-06-20 성균관대학교산학협력단 Abnormal ipsec packet control system using ipsec configuration and session data, and method thereof
EP2122969A1 (en) * 2007-03-16 2009-11-25 Telefonaktiebolaget LM Ericsson (PUBL) Securing ip traffic
US20080267177A1 (en) * 2007-04-24 2008-10-30 Sun Microsystems, Inc. Method and system for virtualization of packet encryption offload and onload
US8423767B2 (en) * 2007-06-13 2013-04-16 Cisco Technology, Inc. Security association verification and recovery
US8370919B2 (en) * 2007-06-26 2013-02-05 Microsoft Corporation Host firewall integration with edge traversal technology
US7894420B2 (en) * 2007-07-12 2011-02-22 Intel Corporation Fast path packet destination mechanism for network mobility via secure PKI channel
US8051124B2 (en) * 2007-07-19 2011-11-01 Itt Manufacturing Enterprises, Inc. High speed and efficient matrix multiplication hardware module
US8661524B2 (en) * 2007-12-14 2014-02-25 Novell, Inc. Selective desktop control of virtual private networks (VPN's) in a multiuser environment
US8191133B2 (en) * 2007-12-17 2012-05-29 Avaya Inc. Anti-replay protection with quality of services (QoS) queues
US20090199290A1 (en) * 2008-02-01 2009-08-06 Secure Computing Corporation Virtual private network system and method
US20090228973A1 (en) * 2008-03-06 2009-09-10 Chendil Kumar Techniques for automatic discovery and update of client environmental information in a virtual private network (vpn)
US9137209B1 (en) * 2008-12-10 2015-09-15 Amazon Technologies, Inc. Providing local secure network access to remote services
KR101048510B1 (en) * 2009-05-06 2011-07-11 부산대학교 산학협력단 Method and apparatus for enhancing security in Zigbee wireless communication protocol
US8499338B1 (en) * 2010-02-16 2013-07-30 Sprint Communications Company L.P. Internet protocol controlled modem for use over a wireless voice network
US8549617B2 (en) 2010-06-30 2013-10-01 Juniper Networks, Inc. Multi-service VPN network client for mobile device having integrated acceleration
US10142292B2 (en) 2010-06-30 2018-11-27 Pulse Secure Llc Dual-mode multi-service VPN network client for mobile device
US8127350B2 (en) * 2010-06-30 2012-02-28 Juniper Networks, Inc. Multi-service VPN network client for mobile device
CN102065021B (en) * 2011-01-28 2012-12-26 北京交通大学 IPSecVPN (Internet Protocol Security Virtual Private Network) realizing system and method based on NetFPGA (Net Field Programmable Gate Array)
US8359466B2 (en) * 2011-04-29 2013-01-22 Lsi Corporation Security association prefetch for security protcol processing
US8261085B1 (en) 2011-06-22 2012-09-04 Media Patents, S.L. Methods, apparatus and systems to improve security in computer systems
US8595510B2 (en) 2011-06-22 2013-11-26 Media Patents, S.L. Methods, apparatus and systems to improve security in computer systems
US20120331308A1 (en) * 2011-06-22 2012-12-27 Media Patents, S.L. Methods, apparatus and systems to improve security in computer systems
US8181035B1 (en) 2011-06-22 2012-05-15 Media Patents, S.L. Methods, apparatus and systems to improve security in computer systems
US8775614B2 (en) 2011-09-12 2014-07-08 Microsoft Corporation Monitoring remote access to an enterprise network
US9246876B1 (en) * 2011-10-13 2016-01-26 Juniper Networks, Inc. Anti-replay mechanism for group virtual private networks
CN102970228B (en) * 2012-11-22 2016-04-27 杭州华三通信技术有限公司 A kind of message transmitting method based on IPsec and equipment
US10515231B2 (en) * 2013-11-08 2019-12-24 Symcor Inc. Method of obfuscating relationships between data in database tables
US9641542B2 (en) * 2014-07-21 2017-05-02 Cisco Technology, Inc. Dynamic tuning of attack detector performance
CN105791219B (en) 2014-12-22 2020-03-20 华为技术有限公司 Anti-replay method and device
WO2016118523A1 (en) 2015-01-19 2016-07-28 InAuth, Inc. Systems and methods for trusted path secure communication
US9621520B2 (en) 2015-03-19 2017-04-11 Cisco Technology, Inc. Network service packet header security
CN106534153B (en) * 2016-11-30 2023-06-13 广东科达洁能股份有限公司 Bridge connection private line establishment system based on Internet
CN108494744B (en) * 2018-03-07 2021-08-24 杭州迪普科技股份有限公司 IPsec VPN client message processing method and device
CN110098975B (en) * 2019-04-03 2021-03-30 新浪网技术(中国)有限公司 Detection method and system for user to access internet through virtual private network
US11032203B2 (en) * 2019-04-26 2021-06-08 Juniper Networks, Inc. Providing predictable quality of service traffic steering
US11477176B1 (en) * 2021-05-27 2022-10-18 Microsoft Technology Licensing, Llc Throughput for a single VPN connection using multiple processing cores
CN114301632B (en) * 2021-12-02 2023-11-10 北京天融信网络安全技术有限公司 IPsec data processing method, terminal and storage medium

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US618226A (en) * 1899-01-24 Milk-heater
WO1993017872A1 (en) * 1992-03-03 1993-09-16 The Technology Partnership Limited Electronic marking instrument
US5672929A (en) * 1992-03-03 1997-09-30 The Technology Partnership Public Limited Company Moving sensor using mechanical vibrations
US5473607A (en) * 1993-08-09 1995-12-05 Grand Junction Networks, Inc. Packet filtering for data networks
US5384524A (en) * 1993-09-02 1995-01-24 Cirrus Logic, Inc. Voice coil motor control circuit and method for servo system control in a computer mass storage device
US6185409B1 (en) * 1995-11-30 2001-02-06 Amsc Subsidiary Corporation Network engineering/systems engineering system for mobile satellite communication system
US5809025A (en) * 1996-03-15 1998-09-15 Motorola, Inc. Virtual path-based static routing
US6073204A (en) * 1997-04-23 2000-06-06 Micron Technology, Inc. Memory system having flexible architecture and method
US5983350A (en) * 1996-09-18 1999-11-09 Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status
US5944823A (en) * 1996-10-21 1999-08-31 International Business Machines Corporations Outside access to computer resources through a firewall
US6233686B1 (en) * 1997-01-17 2001-05-15 At & T Corp. System and method for providing peer level access control on a network
US6118087A (en) * 1997-03-31 2000-09-12 Idec Izumi Corporation Safety switch
US6021459A (en) * 1997-04-23 2000-02-01 Micron Technology, Inc. Memory system having flexible bus structure and method
US5974499A (en) * 1997-04-23 1999-10-26 Micron Technology, Inc. Memory system having read modify write function and method
US6078985A (en) * 1997-04-23 2000-06-20 Micron Technology, Inc. Memory system having flexible addressing and method using tag and data bus communication
US6175891B1 (en) * 1997-04-23 2001-01-16 Micron Technology, Inc. System and method for assigning addresses to memory devices
US6674536B2 (en) * 1997-04-30 2004-01-06 Canon Kabushiki Kaisha Multi-instruction stream processor
AUPO647997A0 (en) * 1997-04-30 1997-05-22 Canon Information Systems Research Australia Pty Ltd Memory controller architecture
US6349379B2 (en) 1997-04-30 2002-02-19 Canon Kabushiki Kaisha System for executing instructions having flag for indicating direct or indirect specification of a length of operand data
US6173399B1 (en) * 1997-06-12 2001-01-09 Vpnet Technologies, Inc. Apparatus for implementing virtual private networks
US6055236A (en) * 1998-03-05 2000-04-25 3Com Corporation Method and system for locating network services with distributed network address translation
US6182226B1 (en) 1998-03-18 2001-01-30 Secure Computing Corporation System and method for controlling interactions between networks
US6226751B1 (en) * 1998-04-17 2001-05-01 Vpnet Technologies, Inc. Method and apparatus for configuring a virtual private network
US6154839A (en) * 1998-04-23 2000-11-28 Vpnet Technologies, Inc. Translating packet addresses based upon a user identifier
US6175917B1 (en) * 1998-04-23 2001-01-16 Vpnet Technologies, Inc. Method and apparatus for swapping a computer operating system
US6157955A (en) * 1998-06-15 2000-12-05 Intel Corporation Packet processing system including a policy engine having a classification unit
US6006259A (en) * 1998-11-20 1999-12-21 Network Alchemy, Inc. Method and apparatus for an internet protocol (IP) network clustering system
US6078957A (en) * 1998-11-20 2000-06-20 Network Alchemy, Inc. Method and apparatus for a TCP/IP load balancing and failover process in an internet protocol (IP) network clustering system
EP1094682B1 (en) * 1999-10-22 2005-06-08 Telefonaktiebolaget LM Ericsson (publ) Mobile phone incorporating security firmware

Also Published As

Publication number Publication date
CA2452052C (en) 2012-11-27
BRPI0205727B1 (en) 2017-01-24
JP4344609B2 (en) 2009-10-14
US7107464B2 (en) 2006-09-12
CN101494649A (en) 2009-07-29
JP2005508585A (en) 2005-03-31
CN1600011A (en) 2005-03-23
US20040117653A1 (en) 2004-06-17
WO2003007524A2 (en) 2003-01-23
WO2003007524A3 (en) 2003-05-30
CN101494649B (en) 2012-08-22
BR0205727A (en) 2004-07-06
EP1405452B1 (en) 2013-01-16
EP1405452A2 (en) 2004-04-07
CN100479451C (en) 2009-04-15
AU2002319557A1 (en) 2003-01-29

Similar Documents

Publication Publication Date Title
CA2452052A1 (en) Virtual private network mechanism incorporating security association processor
JP2005508585A5 (en)
CA2445751C (en) Dynamic packet filter utilizing session tracking
EP1966977B1 (en) Method and system for secure communication between a public network and a local network
US7392241B2 (en) Searching method for a security policy database
US7010702B1 (en) Architecture for virtual private networks
EP1435582B1 (en) Hash algorithm and policy management
US7917939B2 (en) IPSec processing device, network system, and IPSec processing program
JP2002504285A (en) Apparatus for realizing virtual private network
CN101116052A (en) Network interface and firewall device
CN106899606A (en) A kind of message processing method and device
US8964748B2 (en) Methods, systems, and computer readable media for performing flow compilation packet processing
CN100417150C (en) Method of access control list or security policy database
WO2006002237A1 (en) Method, apparatuses and program storage device for efficient policy change management in virtual private networks
CN103198105A (en) Searching device and method for Ethernet internet protocol security (IPSec) database
US20100275008A1 (en) Method and apparatus for secure packet transmission
Keni et al. Packet filtering for IPV4 protocol using FPGA
Güvensan et al. Protocol Independent Lightweight Secure Communication.
JP2006311164A (en) Packet transfer equipment
Fan et al. Integrating QoS and security functions in an IP-VPN gateway
WO2005069578A1 (en) Method and apparatus for network intrusion detection system

Legal Events

Date Code Title Description
EEER Examination request
MKLA Lapsed

Effective date: 20190710