公开(公告)号：US09009302B2

公开(公告)日：2015-04-14

申请号：US13400841

申请日：2012-02-21

申请人： Frederic R. P. Detienne ,  Pratima Sethi ,  Ijsbrand Wijnands

发明人： Frederic R. P. Detienne ,  Pratima Sethi ,  Ijsbrand Wijnands

IPC分类号： G06F15/173 ,  G06F15/16 ,  H04L9/08 ,  H04L29/06 ,  H04L9/32

CPC分类号： H04L63/065 ,  H04L9/0833 ,  H04L9/3268

摘要： Upon detection of a new traffic flow, a registration node can dynamically register the new traffic flow with a key server policy manager by sending a registration request on behalf of the new traffic flow. A registration request indicates the new traffic flow should be protected by a security group. A registration request may also include a request to dynamically generate a new security group to protect the traffic flow. The registration request is received by a key server policy manager, which performs authentication and authorization checks of the requesting registration node, and determines whether to accept or reject the registration request. If accepted, the key server policy manager registers the new traffic flow by including a description of the traffic flow in a group policy of an existing security group or a newly created security group, depending on the registration request.

摘要翻译： 在检测到新的业务流时，注册节点可以通过代表新的业务流发送注册请求来与密钥服务器策略管理器动态注册新的业务流。 注册请求表示新的流量应由安全组保护。 注册请求还可以包括动态生成新的安全组以保护业务流的请求。 注册请求由密钥服务器策略管理器接收，密钥服务器策略管理器执行请求注册节点的认证和授权检查，并确定是接受还是拒绝注册请求。 如果接受，密钥服务器策略管理器根据注册请求，将现有安全组或新创建的安全组的组策略中的流量描述包含在流量中，从而注册新流量。

公开(公告)号：US20080313461A1

公开(公告)日：2008-12-18

申请号：US11762321

申请日：2007-06-13

申请人： Frederic R. P. Detienne

发明人： Frederic R. P. Detienne

IPC分类号： H04L9/00 ,  G06F17/00

CPC分类号： H04L63/123 ,  H04L63/164

摘要： Example embodiments herein include a verification process that provides a safe and efficient mechanism for recovering security associations between network devices. More specifically, the verification process transmits a secured message from a first network device to a second network device across a network. Furthermore, the security association includes a parent process and a corresponding child process. The verification process detects, at the first network device, an incompatibility in the security association between the first network device and the second network device. Next, the verification process transmits a status query from the first network device to the second network device in order to determine the status of the security association between the first network device and the second network device. In response, the verification process receives a verifiable reply message that is indicative of the status of the security association between the first network device and the second network device.

摘要翻译： 这里的示例性实施例包括验证过程，其提供用于恢复网络设备之间的安全关联的安全且有效的机制。 更具体地，验证过程通过网络将安全消息从第一网络设备发送到第二网络设备。 此外，安全关联包括父进程和相应的子进程。 验证过程在第一网络设备处检测第一网络设备和第二网络设备之间的安全关联中的不兼容性。 接下来，验证处理从第一网络设备向第二网络设备发送状态查询，以便确定第一网络设备和第二网络设备之间的安全关联的状态。 作为响应，验证过程接收指示第一网络设备和第二网络设备之间的安全关联的状态的可验证的回复消息。

公开(公告)号：US08423767B2

公开(公告)日：2013-04-16

申请号：US11762321

申请日：2007-06-13

申请人： Frederic R. P. Detienne

发明人： Frederic R. P. Detienne

IPC分类号： H04L29/06

CPC分类号： H04L63/123 ,  H04L63/164

摘要： Example embodiments herein include a verification process that provides a safe and efficient mechanism for recovering security associations between network devices. More specifically, the verification process transmits a secured message from a first network device to a second network device across a network. Furthermore, the security association includes a parent process and a corresponding child process. The verification process detects, at the first network device, an incompatibility in the security association between the first network device and the second network device. Next, the verification process transmits a status query from the first network device to the second network device in order to determine the status of the security association between the first network device and the second network device. In response, the verification process receives a verifiable reply message that is indicative of the status of the security association between the first network device and the second network device.

摘要翻译： 这里的示例性实施例包括验证过程，其提供用于恢复网络设备之间的安全关联的安全且有效的机制。 更具体地，验证过程通过网络将安全消息从第一网络设备发送到第二网络设备。 此外，安全关联包括父进程和相应的子进程。 验证过程在第一网络设备处检测第一网络设备和第二网络设备之间的安全关联中的不兼容性。 接下来，验证处理从第一网络设备向第二网络设备发送状态查询，以便确定第一网络设备和第二网络设备之间的安全关联的状态。 作为响应，验证过程接收指示第一网络设备和第二网络设备之间的安全关联的状态的可验证的回复消息。

公开(公告)号：US08250359B2

公开(公告)日：2012-08-21

申请号：US12760507

申请日：2010-04-14

申请人： Brian E. Weis ,  Jan Vilhuber ,  Michael Lee Sullenberger ,  Frederic R. P. Detienne

发明人： Brian E. Weis ,  Jan Vilhuber ,  Michael Lee Sullenberger ,  Frederic R. P. Detienne

IPC分类号： H04L9/00

CPC分类号： H04L12/1886 ,  H04L45/16 ,  H04L63/0428 ,  H04L63/065

摘要： A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt, then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

摘要翻译： 在数据通信设备上的分组转发过程使用“加密，然后复制”方法将数据包从该数据通信设备转发到网络内的多个目的地。 分组转发过程接收要发送到多个目的地的分组，并且使用在数据通信设备和多个目的地之间共享的安全信息来向分组应用安全关联，以创建安全分组。 安全数据包包含一个具有源地址和目标地址的报头。 源地址被插入到报头中，然后分组转发过程对多个目的地中的每个目的地一次复制安全分组。 在复制之后，目的地址被插入到报头中，并且分组转发过程将每个复制的安全分组传送到被授权维护安全关联的多个目的地中的每一个。

公开(公告)号：US08499095B1

公开(公告)日：2013-07-30

申请号：US11440551

申请日：2006-05-25

申请人： Michael L. Sullenberger ,  Manikchand R. Bafna ,  Frederic R. P. Detienne

发明人： Michael L. Sullenberger ,  Manikchand R. Bafna ,  Frederic R. P. Detienne

IPC分类号： G06F15/173 ,  G06F15/16 ,  H04L12/28 ,  H04B7/212

CPC分类号： H04L12/4641 ,  H04L12/4633 ,  H04L45/04

摘要： A system receives a request at a hub. The request is received from a first spoke regarding a packet to be transmitted from the first spoke to a second spoke. The system identifies, at the time of the request, a preferred route from the first spoke to the second spoke. The system sends a redirect message to the first spoke, the redirect message directing the packet along the preferred route. The system transmits, from a first spoke to a hub, a first request associated with a packet. In response, the system receives, at the first spoke, a redirect message from the hub. The redirect message identifies a preferred route by which the first spoke transmits the packet to a second spoke. The system creates, at the first spoke, a second request containing a destination address of the second spoke, and transmits the second request along the preferred route.

摘要翻译： 系统在集线器处接收请求。 从关于要从第一辐条传送到第二辐条的包的第一个辐条接收到该请求。 该系统在请求时识别从第一轮辐到第二轮辐的优选路线。 系统向第一个辐条发送重定向消息，重定向消息沿着优选路由指示数据包。 系统从第一分支发送与分组相关联的第一请求。 作为响应，系统在第一个讲话处接收到来自集线器的重定向消息。 重定向消息标识首选路由的首选路由，将该分组发送到第二个辐条。 该系统在第一个辐条处创建包含第二个辐条的目标地址的第二个请求，并沿着首选路由发送第二个请求。

公开(公告)号：US20080195733A1

公开(公告)日：2008-08-14

申请号：US12030630

申请日：2008-02-13

申请人： Frederic R. P. Detienne ,  Pratima Sethi

发明人： Frederic R. P. Detienne ,  Pratima Sethi

IPC分类号： G06F15/173

CPC分类号： H04L12/4633 ,  H04L29/06 ,  H04L43/00

摘要： Network devices can detect whether a tunnel is available (e.g., usable to convey traffic in both directions) by implementing a tunnel detection protocol that uses a combination of idle timers and multiple types of probes. In this protocol, the device at one end of the tunnel is configured as an active device, while the device at the other end of the tunnel is configured as a passive device. The tunnel detection protocol is asymmetric; the active device sends probes to the passive device, but the passive device does not send probes to the active device. By using at least two types of probes, the active device can inform the passive device about the availability of the path from the passive device to the active device. Since the passive device does not need to send probes or process probe replies, control plane processing on the passive device can be reduced.

摘要翻译： 网络设备可以通过实施使用空闲定时器和多种类型的探测器的组合的隧道检测协议来检测隧道是否可用（例如，可用于在两个方向上传送流量）。 在该协议中，隧道一端的设备被配置为活动设备，而隧道另一端的设备被配置为无源设备。 隧道检测协议不对称; 主动设备向无源设备发送探测，但被动设备不向有源设备发送探测。 通过使用至少两种类型的探测器，有源器件可以向被动设备通知从无源器件到有源器件的路径的可用性。 由于无源器件不需要发送探头或处理探头应答，因此可以减少无源器件上的控制平面处理。

公开(公告)号：US20130219035A1

公开(公告)日：2013-08-22

申请号：US13400841

申请日：2012-02-21

申请人： Frederic R. P. Detienne ,  Pratima Sethi ,  Ijsbrand Wijnands

发明人： Frederic R. P. Detienne ,  Pratima Sethi ,  Ijsbrand Wijnands

IPC分类号： G06F15/173

CPC分类号： H04L63/065 ,  H04L9/0833 ,  H04L9/3268

摘要： Upon detection of a new traffic flow, a registration node can dynamically register the new traffic flow with a key server policy manager by sending a registration request on behalf of the new traffic flow. A registration request indicates the new traffic flow should be protected by a security group. A registration request may also include a request to dynamically generate a new security group to protect the traffic flow. The registration request is received by a key server policy manager, which performs authentication and authorization checks of the requesting registration node, and determines whether to accept or reject the registration request. If accepted, the key server policy manager registers the new traffic flow by including a description of the traffic flow in a group policy of an existing security group or a newly created security group, depending on the registration request.

摘要翻译： 在检测到新的业务流时，注册节点可以通过代表新的业务流发送注册请求来与密钥服务器策略管理器动态注册新的业务流。 注册请求表示新的流量应由安全组保护。 注册请求还可以包括动态生成新的安全组以保护业务流的请求。 注册请求由密钥服务器策略管理器接收，密钥服务器策略管理器执行请求注册节点的认证和授权检查，并确定是接受还是拒绝注册请求。 如果接受，密钥服务器策略管理器根据注册请求，将现有安全组或新创建的安全组的组策略中的流量描述包含在流量中，从而注册新流量。

公开(公告)号：US07844719B2

公开(公告)日：2010-11-30

申请号：US12030630

申请日：2008-02-13

申请人： Frederic R. P. Detienne ,  Pratima Sethi

发明人： Frederic R. P. Detienne ,  Pratima Sethi

IPC分类号： G06F15/16

CPC分类号： H04L12/4633 ,  H04L29/06 ,  H04L43/00

摘要： Network devices can detect whether a tunnel is available (e.g., usable to convey traffic in both directions) by implementing a tunnel detection protocol that uses a combination of idle timers and multiple types of probes. In this protocol, the device at one end of the tunnel is configured as an active device, while the device at the other end of the tunnel is configured as a passive device. The tunnel detection protocol is asymmetric; the active device sends probes to the passive device, but the passive device does not send probes to the active device. By using at least two types of probes, the active device can inform the passive device about the availability of the path from the passive device to the active device. Since the passive device does not need to send probes or process probe replies, control plane processing on the passive device can be reduced.

摘要翻译： 网络设备可以通过实施使用空闲定时器和多种类型的探测器的组合的隧道检测协议来检测隧道是否可用（例如，可用于在两个方向上传送流量）。 在该协议中，隧道一端的设备被配置为活动设备，而隧道另一端的设备被配置为无源设备。 隧道检测协议不对称; 主动设备向无源设备发送探测，但被动设备不向有源设备发送探测。 通过使用至少两种类型的探测器，有源器件可以向被动设备通知从无源器件到有源器件的路径的可用性。 由于无源器件不需要发送探头或处理探头应答，因此可以减少无源器件上的控制平面处理。