WO2013124758A1 - Network node with network-attached stateless security offload device - Google Patents

Network node with network-attached stateless security offload device Download PDF

Info

Publication number
WO2013124758A1
WO2013124758A1 PCT/IB2013/051061 IB2013051061W WO2013124758A1 WO 2013124758 A1 WO2013124758 A1 WO 2013124758A1 IB 2013051061 W IB2013051061 W IB 2013051061W WO 2013124758 A1 WO2013124758 A1 WO 2013124758A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
security
ihs
external
offload device
Prior art date
Application number
PCT/IB2013/051061
Other languages
English (en)
French (fr)
Inventor
Scott Christopher MOONEN
Linwood Hugh Overby Jr
Christopher Meyer
Curtis Matthew GEARHART
Original Assignee
International Business Machines Corporation
Ibm United Kingdom Limited
Ibm (China) Investment Company Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US13/400,575 external-priority patent/US20130219167A1/en
Priority claimed from US13/400,577 external-priority patent/US8918634B2/en
Application filed by International Business Machines Corporation, Ibm United Kingdom Limited, Ibm (China) Investment Company Limited filed Critical International Business Machines Corporation
Priority to GB1414604.7A priority Critical patent/GB2512807B/en
Priority to DE112013000649.9T priority patent/DE112013000649B4/de
Priority to CN201380010353.3A priority patent/CN104137508B/zh
Priority to JP2014553855A priority patent/JP5746446B2/ja
Publication of WO2013124758A1 publication Critical patent/WO2013124758A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Definitions

  • the present invention relates generally to data security in information handling systems (IHSs), and more specifically, to data security in communications between networked IHSs.
  • IHSs information handling systems
  • Authentication of a source IHS and a destination IHS may increase the security of network communications.
  • Encryption of communications between source and destination IHSs may also increase the security of network communications.
  • a security offload method includes storing, by a host information handling system (IHS), security metadata that is associated with a data packet.
  • the method also includes determining, by a host IHS, if a data packet is a data packet that requires security processing.
  • the method further includes providing, by the host IHS, the data packet to an internal network interface controller if the host IHS determines that the data packet does not require security processing, the internal network interface controller transmitting the data packet to a communications network for communication to an IHS other than the host IHS.
  • the method still further includes offloading, by the host IHS via a secure data link, the data packet and associated security metadata to a stateless external security offload device if the host IHS determines that the data packet requires security processing, thus providing an offloaded data packet, the stateless external security offload device being external to the host IHS.
  • the method also includes encrypting and
  • a network node in another aspect, includes a host information handling system (IHS).
  • the host IHS includes an internal network interface controller.
  • the network node includes a secure data link that couples to the host IHS.
  • the network node also includes a stateless external security offload device that couples to the host IHS via the secure data link.
  • the external security offload device is external to the host IHS.
  • the host IHS is configured to store security metadata that is associated with a data packet.
  • the host IHS is also configured to offload the data packet and associated security metadata via the secure data link to the stateless external security offload device, thus providing an offloaded data packet.
  • the stateless external security offload device is configured to receive the offloaded data packet and associated security metadata.
  • the stateless external security offload device is also configured to encrypt and encapsulate the offloaded data packet thus providing an encapsulated encrypted data packet.
  • the stateless external security offload device is further configured to transmit the encapsulated encrypted data packet back to the host IHS for further processing.
  • the host IHS being is also configured to transmit the encapsulated encrypted data packet via the internal network interface controller of the host IHS to a communications network for communication to an IHS other than the host IHS.
  • the disclosed security offload method includes receiving, by an internal network interface controller that is internal to a host information handling system (IHS), a data packet from a communications network, thus providing a received data packet.
  • the method also includes determining, by the host IHS, if the received data packet is an encapsulated encrypted data packet that requires security processing.
  • the method further includes forwarding, by the host IHS, the received data packet to an application in the host IHS for processing if the host IHS determines that the received data packet is not an encapsulated encrypted data packet that requires security processing.
  • the method still further includes offloading, by the host IHS via a secure data link, the received data packet to a stateless external security offload device, if the host IHS determines that the received data packet is an encapsulated encrypted data packet that requires security processing, the stateless external security offload device being external to the host IHS.
  • the method also includes decapsulating and decrypting, by the stateless external security offload device, the received data packet, thus providing a decapsulated decrypted data packet.
  • the method further includes transmitting, by the stateless external security offload device via the secure data link, the decapsulated decrypted data packet back to the host IHS for further processing by the application in the host IHS.
  • a network node in another aspect, includes a host information handling system (IHS).
  • the host IHS includes an internal network interface controller.
  • the network node includes a secure data link coupled to the host IHS.
  • the network node also includes a stateless external security offload device that couples to the host IHS via the secure data link.
  • the external security offload device is external to the host IHS.
  • the host IHS is configured to receive a data packet from a communications network via the internal interface controller, thus providing a received data packet.
  • the host IHS is also configured to determine if the received data packet is an encapsulated encrypted data packet that requires security processing.
  • the host IHS is further configured to forward the received data packet to an application in the host IHS for processing if the host IHS determines that the received data packet is not an encapsulated encrypted data packet that requires security processing.
  • the host IHS is still further configured to offload the received data packet via the secure data link to the stateless external security offload device, thus providing an offloaded data packet if the host IHS determines that the received data packet is an encapsulated encrypted data packet that requires security processing.
  • the stateless external security offload device is configured to decapsulate and decrypt the offloaded data packet, thus providing a decapsulated decrypted data packet.
  • the stateless external security offload device is also configured to transmit, via the secure data link, the decapsulated decrypted data packet back to the host IHS for further processing by the application in the host IHS.
  • FIG. 1 A is a block diagram of the disclosed network system.
  • FIG. IB is a block diagram of a network node that the disclosed network system may employ.
  • FIG. 2 is a flow chart that depicts one method of processing outbound data packets with an external security offload device at a network node.
  • FIG. 3 is a flow chart that depicts one method of processing inbound data packets with an external security offload device at a network node.
  • FIG. 4 is a flow chart that depicts another method of processing outbound data packets with an external security offload device at a network node.
  • FIG. 5 is a flow chart that depicts another method of processing inbound data packets with an external security offload device at a network node.
  • a network node includes a host information handling system (IHS) that couples via a secure data link to a stateless external security offload device.
  • the stateless external security offload device couples to an external network interface controller that communicates with one or more other network nodes in the network system.
  • the host IHS offloads security-related tasks to the external security offload device to reduce the security-related workload on the host IHS.
  • the external security offload device may add optional headers to a data packet and/or may apply cryptographic methodology to the data packet on behalf of the host IHS.
  • the host IHS may offload security-related tasks such as encapsulation and decapsulation, encryption and decryption as well as authentication, to an external security offload device that is a network-attached device.
  • the host IHS may store state information, such as IPSec sequence numbers, in a TCP/IP stack of the host IHS rather than in the external security offload device, thus providing a stateless external security offload device rather than a stateful external security offload device.
  • FIG. 1 A is a block diagram of the disclosed network system 100 that includes multiple network nodes, such as network nodes 101 and 101 ', that couple together via a communications network 102.
  • Communications network 102 may be virtually any type of communications apparatus including wired and/or wireless links. For example,
  • communications network 102 may include transmission lines, routers, switches, hubs, network fabric, Internet connections, local area networks (LANs) and wide area networks (WANs).
  • LANs local area networks
  • WANs wide area networks
  • Either network node 101 or network node 101 ' may be the source of a data packet that requires security processing. When network node 101 is the source of a data packet, network node 101 ' may be the destination of that data packet. Conversely, when network node 101 ' is the source of a data packet, network node 101 may be the destination of that data packet.
  • Network system 100 may include more network nodes that shown in Fig. 1A.
  • Network node 101 includes a host IHS 103 with an internal network interface controller 107 that couples host IHS 103 to communications network 102.
  • Network node 101 also includes an external security offload device 104 that couples via a secure data link 105 to host IHS 103.
  • external security offload device 104 is a
  • An external network interface controller 106 couples external security offload device 104 to communication network 102. In one embodiment, external network interface controller 106 couples to external security offload device 104, as shown. In another embodiment, external network interface controller 106 is inside external security offload device 104, but still external to host IHS 103.
  • network node 101 ' includes a host IHS 103' with an internal network interface controller 107' that couples host IHS 103' to communications network 102.
  • Network node 101 ' also includes an external security offload device 104' that couples via a secure data link 105' to host IHS 103'. In one embodiment, external security offload device 104' is a network-attached device.
  • An external network interface controller 106' couples external security offload device 104 to communication network 102.
  • FIG. IB is a block diagram of a network node 101 that network system 100 may employ as network node 101 and/or network node 101 ' as well as other network nodes (not shown) of network system 100.
  • FIG. IB shows network node 101 that includes a host information handling system (IHS) 103 that couples to an external security offload device 104 via secure data link 105.
  • IHS host information handling system
  • Secure data link 105 may prevent unencrypted traffic from being seen or modified by unintended parties. To achieve security, secure data link 105 may employ Open Systems Interconnection (OSI) layer 1 physical isolation, OSI layer 2 encryption, and other OSI layers and/or other security measures.
  • Host IHS 103 includes a processor 110 that may include multiple cores and SRAM cache 150. Host IHS 103 processes, transfers, communicates, modifies, stores or otherwise handles information in digital form, analog form or other form.
  • Host IHS 103 includes a bus 1 15 that couples processor 110 to system memory 120 via a memory controller 125 and memory bus 130. In one embodiment, system memory 120 is external to processor 110.
  • System memory 120 may be a static random access memory (SRAM) array and/or a dynamic random access memory (DRAM) array.
  • a video graphics controller 135 couples display 140 to bus 115.
  • Nonvolatile storage 145 such as a hard disk drive, CD drive, DVD drive, or other nonvolatile storage couples to bus 115 to provide host IHS 103 with permanent storage of information.
  • I/O devices 190 such as a keyboard and a mouse pointing device, couple to bus 115 via I/O controller 155 and I/O bus 160.
  • One or more expansion busses 165 such as USB, IEEE 1394 bus, ATA, SATA, PCI, PCIE, DVI, HDMI and other expansion busses, couple to bus 115 to facilitate the connection of peripherals and devices to host IHS 103.
  • the dashed line 103 in FIG. IB indicates host IHS 103 as well as a housing and/or chassis of host IHS 103. In this manner, those structures of host IHS 103 that are inside dashed line 103 are internal to host IHS 103, and those structures of network node 101 that are outside of dashed line 103 are external to host IHS 103.
  • Host IHS 103 of network node 101 includes an internal network interface controller 107 that couples to bus 115 to enable host IHS 103 to connect by wire or wirelessly to a network such as communications network 102 and other information handling systems and network nodes such as network node 101 '.
  • Host IHS 103 may take the form of a desktop, server, portable, laptop, notebook, or other form factor computer or data processing system.
  • Host IHS 103 may take other form factors such as a gaming device, a personal digital assistant (PDA), a portable telephone device, a communication device or other devices that include a processor and memory.
  • Host IHS 103 may also take the form of a portable, laptop, notebook, gaming device, PDA or any battery-powered device.
  • the performance of host IHS 103 may be especially sensitive to computationally intensive processes that may add to network latency (such as packet security and IPsec processing).
  • Host IHS 103 may include a computer program product on digital media 175 such as a CD, DVD or other media.
  • digital media 175 includes an application 182.
  • a user may load application 182 on nonvolatile storage 145 as application 182'.
  • Nonvolatile storage 145 may store an operating system 181 which may include network software 183.
  • operating system 181 which may include network software 183.
  • the host IHS loads operating system 181 and application 182' into system memory 120 for execution as operating system 18 ⁇ , network software 183' and application 182".
  • Operating system 18 ⁇ which may include network software 183', governs the operation of host IHS 103.
  • Host IHS 103 couples to the external security offload device 104 through a secure data link 105.
  • the external security offload device 104 couples to an external network interface controller 106. In this manner, external network interface controller 106 is a "network-attached" device.
  • a "network-attached" device acts as a wired and/or wireless portal to a communications network, such as communications network 102, that may interconnect multiple network nodes.
  • a communications network such as communications network 102
  • external network interface controllers 106 and 106', and internal network interface controllers 107 and 107' serve as wired and/or wireless portals that interconnect network nodes 101 and 101 ' via communications network 102.
  • Host IHS 103 together with secure data link 105, external security offload device 104 and external network interface controller 106 collectively form a network node 101 for communicating data packets with other network nodes.
  • host IHS 103 in cooperation with external security offload device 104 may secure these data packets with a security protocol such as the Internet Protocol Security (IPsec) protocol suite.
  • IPsec Internet Protocol Security
  • the external security offload device 104 of the network node 101 may employ the Internet Protocol Security (IPsec) protocol suite to secure Internet Protocol (IP) communications on behalf of the host IHS 103.
  • IPsec Internet Protocol Security
  • External security offload device 104 may be an information handling system that includes a processor (not shown) for facilitating the encapsulation and decapsulation of data packets, for facilitating the encryption and decryption of data packets, for authentication of data packets, and for optionally performing firewall and intrusion detection services (IDSs) and other optional services on data packets.
  • External security offload device 104 may also include memory (not shown) and storage (not shown).
  • External security offload device 104 may employ a security protocol that
  • the security protocol may encrypt the encapsulated IP data packet.
  • the IPsec protocol authenticates and encrypts each IP data packet of a communication session.
  • IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the communication session and for negotiation of cryptographic keys for use during the communication session.
  • Host IHS 103 and host IHS 103' are examples of such agents. More specifically, the portion of network software 183 that provides security is an agent that may act at the direction of a human security administrator.
  • the external security offload device 104 may provide all IPsec encapsulation and decapsulation operations, as well as encryption, decryption and authentication, for the network node 101. This reduces the security-related workload of the host IHS 103 in the network node 101.
  • a security policy is a rule that a designer, programmer or other entity programs into a security protocol, such as the IP Sec protocol, that instructs the protocol how to process data packets that a particular device receives. For example, a security policy may decide whether or not a particular data packet requires IPsec protocol security processing. Those data packets that do not require security processing may bypass Authentication Header (AH) protocol processing or Encapsulating Security Payload (ESP) protocol processing. If the device determines that a particular data packet requires security protocol processing, then a security policy may instruct the device with guidelines for handling security for that data packet. In one embodiment, a device such as host IHS 103 and/or external security offload device 104 may store security policies in a security policy database (not shown) within such devices.
  • SA Security Association
  • SA is a set of security information that describes a particular type of secure connection between two devices. The SA information includes the particular security mechanisms that two devices may employ to securely communicate with one another.
  • external security offload device 104 operates as a network- attached device.
  • a network-attached device may be an information handling system (IHS) that connects to a network and provides file-based storage services and/or other specialized services.
  • IHS information handling system
  • external security offload device 104 provides the specialized security-related services of encapsulation, decapsulation, encryption, decryption and authentication.
  • SA IPsec security associations
  • This arrangement enables the external security offload device 104 to be a stateless device.
  • Some embodiments may integrate the external security offload device 104 with other network services, for example firewall services, intrusion detection services, and deep packet inspection services for unencrypted data that also pass through the external security offload device of the network node.
  • the physical separation between the external security offload device 104 and the host IHS 103 of the network node 101, and the stateless nature of the external security offload device 104 facilitates (1) "hot swapping" or replacement of the external security offload device 104 with minimum system interference or disruption, and (2) enables the configuration of multiple external security offload devices for load balancing or hot-standby without the complications of state synchronization, and further (3) enables dynamic enabling and disabling of the external security offload devices for system maintenance or for multi-homed hosts.
  • a multi-homed host includes multiple network connections.
  • a multi-homed host may connect to multiple networks or the same network.
  • One embodiment of the disclosed network system 100 off-loads security processing from the host IHS 103 to the external security offload device 104 of the network node 101.
  • the TCP/IP stack 184 of the network software 183' in the operating system 181 ' of the host IHS 103 maintains state information.
  • the network software 183' in the operating system 181 ' of the host IHS 103 communicates a selection of outbound metadata for the IP data packets to the external security offload device 104.
  • Outbound metadata may include information about the IP data packets that network software 183' of the host IHS 103 transmits to external security offload device 104.
  • Outbound metadata may include IPsec security association (SA) information and the relevant SA state information that applies to the IP data packet.
  • SA IPsec security association
  • SA information refers to negotiated SA attributes such as the specification of which network traffic is allowed to use a tunnel (for example, IPsec can limit this to particular network addresses or protocols), choice of cryptographic algorithms for authentication, encryption and decryption; the cryptographic keys used for these algorithms; and the method for encapsulating data. For example, IPsec allows for tunnel and transport modes of encapsulation.
  • SA state information refers to attributes of the SA that change over its lifetime, such as counters used for replay protection, or counters used to limit the amount of data protected by the SA.
  • the network software 183 ' of the IHS operating system 18 ⁇ may attach outbound metadata to IP data packets by inserting internet protocol (IP) headers into the IP data packets, and may send the IP data packets and outbound metadata to the external security offload device 104, or the network software 183' may send special purpose Ethernet frames to communicate the IP packet data and the outbound metadata to the external security offload device 104.
  • IP internet protocol
  • networking software 103' includes SA policy rules that govern the encapsulation of IP data packets using a security protocol such as the IPsec protocol. Other embodiments may use other security protocols.
  • the TCP/IP stack 184 in the host IHS 103 sends IP data packets to an external security offload device 104.
  • the SA policy rules of the network software 183' in the operating system 181 ' of the host IHS 103 determine the rules governing encapsulation of packets using IPsec.
  • the network software 183' implementing the TCP/IP stack 184 chooses the appropriate IPsec SA to use for encapsulating the data packet.
  • the corresponding necessary outbound metadata may include the security parameter index (SPI) and the protocol of a tunnel, that is, the specific protocol that the tunnel uses for data transfer, for example: Authentication HeaderjAH) protocol or Encapsulating Security Payload (ESP) protocol.
  • the outbound metadata may also include an IPsec sequence number that the TCP/IP stack 184 chooses for external security offload device 104 to use when external security offload device 104 encapsulates a IP data packet.
  • the external security offload device 104 sends a responsive encrypted, encapsulated IPsec data packet back to the TCP/IP stack 184 in the network software 183' of the host IHS 103 for transmission over the communications network 102 to a final destination using an internal network interface controller 107.
  • External security offload device 104 may send inbound metadata back to TCP/IP stack 184 in response to IP data packet encapsulation and/or encryption requests that external security offload device receives from TCP/IP stack 184.
  • the inbound metadata may include a result code to signify the success or failure of an encapsulation operation.
  • the TCP/IP stack 184 in the network software 183' of the host IHS 103 sends an IPsec packet to an external security offload device 104 for decryption and decapsulation.
  • TCP/IP stack 184 may send outbound metadata along with the encapsulated data packet that requires decapsulation.
  • the outbound metadata may include selection information that instructs external security offload device 104 to conduct a decapsulation operation.
  • the external security offload device 104 sends a decapsulated packet back to the TCP/IP stack 184 in the network software 183' of the host IHS 103 for inbound data packet processing.
  • external offload security device 104 may send inbound metadata to TCP/IP stack 184.
  • the inbound metadata may include the SPI and protocol, AH or ESP of the tunnel that communications network 102 used to transport the data packets so that the TCP/IP stack 184 may check which SA that the external security offload device 104 used against the TCP/IP policy rules for the data packet.
  • the metadata may also include the IP sec replay sequence number that TCP IP stack 184 observes for the packet.
  • the TCP/IP stack 184 may perform a final stateful check to verify if a data packet is "replayed" and therefore invalid.
  • the metadata information which may exchange between the TCP/IP stack 184 in the network software 183' of the operating system 181 ' in the host IHS103 and the external security offload device 104 may include the selection or indication of the performed operation, such as encapsulate, encapsulated, decapsulate, decapsulated.
  • the metadata may include key information such as a result code, if applicable, for the operation, and the selection or indication of the tunnel protocol and SPI.
  • the key information may also include the selection or indication of the packet replay sequence number.
  • the packet replay sequence number is the state information that allows the external security offload device to operate in a stateless manner.
  • TABLE 1 shows an example inbound or outbound IP option header including key information (metadata) that the TCP/IP stack 184 of the network software 183' of the operating system 181 ' in the host IHS 103 and the external security offload device 104 may exchange.
  • the fields include the Option type' ipo typ, and the Option length' ipo len which are each one byte in length.
  • the 1 byte long 'flow function code' ipo secoff function may indicate #1 - decapsulate, #2 - decapsulated, #3 - encapsulate, or #4 - encapsulated.
  • the 1 byte long ipo secoff rc indicates the 'return code' for flows #1 or #4.
  • the 'primary protocol' field may be 1 byte long ipo_decoff_protocol. For flows #2 or #3
  • ipo_decoff_protocol indicates the protocol pertaining to the SPI.
  • either AH or ESP SPI may be specified for a tunnel that may use both AH and ESP.
  • Table 1 reserves the 3 byte ipo secoff rsvd field for future use.
  • the 4 byte long field ipo secoff spi identifies the local SPI in the original inbound packet for flow #2, or the remote SPI to be used for the outbound packet in flow #3.
  • the 4 byte long ipo secoff seq field may be the sequence number in the original inbound packet for flow #2, or the sequence number that the metadata specifies for the outbound packet for flow #3.
  • Both the AH and ESP headers should use the value of ipo secoff seq provided for flow #3 if both protocols AH and ESP are in use.
  • IP option header for communicating IPsec metadata
  • FIGs. 2 and 3 are flow charts that describe embodiments of "in-band” processing that a network switch, router, firewall or intrusion detection device may perform when serving as a gateway or gate keeper for data traffic flowing to the TCP/IP stack 184 in the network software of the operating system in the host IHS.
  • "In-band” processing takes place within external security offload device 104.
  • the "in-band” processing may encapsulate and encrypt packets for the external security offload device 104 to send directly to the final network destination without needing to send the packets back to the TCP/IP stack 184, and may decapsulate incoming data packets for immediate processing by the external security offload device before passing the packets back to the TCP/IP stack 184.
  • FIGs. 4 and 5 described below show embodiments of "out-of-band” processing wherein all data packets pass from the TCP/IP stack 184 to the external security offload device 104 for
  • Out-of-band processing is processing that is done outside of external security offload device 104. Out-of-band processing may involve another trip between external security offload device and host IHS 103.
  • the flow chart of FIG. 2 describes one embodiment of the disclosed method of applying a data security protocol to an outbound data packet at the stateless external security offload device 104. Outbound data packets are those data packets that host 103 of network node 101 transmits to other network nodes.
  • external security offload device 104 may perform other networking functions such as providing a firewall and/or intrusion detection services (IDSs) as well as data security protocol operations.
  • External security offload device 104 provides "in-band" processing of outbound data packets by performing security operations on outbound data packets and sending these outbound packets to a destination node without the necessity of returning such data packets to host IHS 104 for further security processing.
  • the flowchart of FIG. 2 refers to stateless external offload device 104 as "offload device".
  • Each block in the flowchart of FIG. 2 includes a descriptor such as "offload device” or "host IHS" to identify the structure that performs the function of the respective block in one embodiment.
  • process flow commences at start block 205.
  • Application 182" in host IHS 103 sends a data packet to the network software 183' of host IHS 103 operating system 181 ', as per block 210. If network transmission of the data packet does not require security processing, as per decision block 215, the network software 183' in the host IHS 103 operating system 181 ' sends the data packet over the network to the external security offload device 104, and directly via the external network interface controller 106 to a final destination network node, as per block 245, and process flow ends with block 250.
  • network software 183' of operating system 181 ' may apply security metadata and state data to the data packet according to flow #3 of TABLE 1, as per block 220.
  • security metadata is outbound metadata.
  • the network software 183' of operating system 18 sends the metadata and data packet over network secure data link 105 to external security offload device 104, as per block 225.
  • External security offload device 104 receives and reads the data packet and corresponding metadata, including state data, as per block 230.
  • External security offload device 104 may perform optional processing such as firewall services and/or intrusion detection services (IDS) on the data packet, as per block 235, and encrypts and encapsulates the data packet, as per block 240.
  • External security offload device 104 sends the encapsulated encrypted data packet directly to the final destination network node over the network, as per block 245, via external network interface controller 106. Process flow ends with block 250.
  • IDS intrusion detection services
  • the flow chart of FIG. 3 describes one embodiment of the disclosed method of receiving inbound data packets from a network via external security offload device 104.
  • Inbound data packets are those data packets that host IHS 103 of network node 101 receives from other network nodes.
  • External security offload device 104 receives inbound data packets and provides "in-band" processing of inbound data packets by performing security operations on inbound data packets without the necessity of returning such data packets to host IHS 103 for further security processing.
  • external security offload device 104 sends decapsulated decrypted data packets to host IHS 103, but host IHS 103 need not perform other security operations on these data packets. Rather, an application in host IHS 103 may directly use the decapsulated decrypted data packets that host IHS 103 receives from external security offload device 104.
  • process flow commences with start block 305.
  • External security offload device 104 receives a data packet from the network via external network interface controller 106, as per block 310.
  • External security offload device 104 performs a test to determine if the data packet requires security processing, as per decision block 320.
  • external security offload device 104 checks for IPSec protocol headers within the data packet or checks static security policy and SA information that external security offload device 104 receives from host IHS 103. It is noted that SA state information may still reside in network software 183' of host IHS 103.
  • external security offload device 104 may perform optional processing such as providing firewall services and/or IDS services, as per block 345, and sends the data packet to the host IHS 103 via secure data link 105, as per block 350.
  • external security offload device 104 decapsulates and decrypts the packet, as per block 330, and performs optional processing such as firewall and/or IDS or other optional processing, as per block 335.
  • External security offload device 104 may add inbound metadata, including state data, according to flow #2 of TABLE 1 as per block 340, and sends the data packet to host IHS 103 via secure data link 105 as per block 350.
  • Network software 183' in operating system 181 ' of host IHS 103 receives the data packet from external security offload device 104 as per block 355, and performs state checking, as per block 360.
  • Network software 183' in operating system 181 ' processes the data packet and forwards the data packet to application 182', as per block 365. Process flow ends with block 370.
  • the flow chart of FIG. 4 describes another embodiment of the disclosed method of applying security to an outbound data packet at a external security offload device 104 on behalf of host IHS 103.
  • This embodiment employs "out-of-band" processing for handling those data packets that require security operations such as encryption and encapsulation.
  • stateless external security offload device 104 handles security operations such as encrypting and encapsulating a data packet that stateless external security offload device 104 receives from host IHS 103 for security processing.
  • stateless external security offload device 104 sends the resultant encapsulated encrypted data packet back to host IHS 104 for transmission to the destination of that data packet.
  • External security offload device 104 may also perform other networking functions such providing a firewall or IDS.
  • process flow commences at start block 405.
  • Application 182" in host IHS 103 sends a data packet to network software 183' of host IHS 103 operating system 181 ', as per block 410.
  • Network software 183' performs a test to determine if network transmission of the data packet requires application of a security protocol to the data packet, as per decision block 415.
  • Network software 183' makes this determination by referencing security policy.
  • the application software 182" may instruct the TCP/IP stack 184 of network software 183' to initiate the decision for applying a security protocol to the data packet. If the network software 183' determines that the data packet does not require application of a security protocol, then host IHS 103 transfers the packet via internal network interface controller 107 directly to a final destination network node, as per block 445.
  • Network software 183' in operating system 18 ⁇ may apply metadata and state data according to flow #3 in TABLE 1, as per block 420. Such metadata is outbound metadata.
  • the network software 183' of host IHS 103 operating system 181 ' sends the metadata and data packet over network secure data link 105 to external security offload device 104, as per block 425.
  • External security offload device 104 receives and reads the data packet and metadata, as per block 430.
  • External security offload device 104 may also perform optional processing such as firewall processing and/or IDS, as per block 435.
  • the external security offload device 104 encapsulates and encrypts the data packet and sends the encrypted encapsulated data packet over secure data link 105 back to the networking software 183' in operating system 181 ', as per block 440.
  • Network software 183' in operating system 181 ' receives the encapsulated packet, as per block 443.
  • Network software 183' sends the encapsulated data packet via internal network interface controller 107 to the final destination network node via the communications network 102, as per block 445.
  • the flow chart of FIG. 5 describes another embodiment of the disclosed method of receiving data packets from a network via internal network interface controller 107.
  • This embodiment employs "out-of-band" processing for handling those inbound data packets that require security operations such as decapsulation and decryption.
  • Inbound data packets are those data packets that host IHS 103 receives from other network nodes.
  • stateless external security offload device 104 handles security operations such as decrypting and decapsulating a data packet that stateless external security offload device 104 receives from host IHS 103 for security processing.
  • stateless external security offload device 104 sends the resultant decapsulated decrypted data packet back to host IHS 104 for forwarding to the destination application 182' of that data packet.
  • process flow commences with start block 505.
  • Network software 183' in operating system 18 ⁇ receives a data packet from internal network interface controller 107, as per block 510. This received data packet is an inbound data packet that host IHS 103 of network node 101 receives from another network node.
  • Network software 183' performs a test to determine if the data packet requires security processing, as per decision block 520. If the data packet does not require security processing, then the network software 183' in operating system 181 ' processes the data packet and forwards the data packet to application 182", as per block 565. The process flow terminates with block 570.
  • the network software 183' in operating system 18 ⁇ sends the data packet over secure data link 105 to external security offload device 104, as per block 525.
  • External security offload device 104 receives the packet, as per block 530 and decapsulates and decrypts the packet as per block 535.
  • External security offload device 104 may optionally perform firewall processing and/or IDS or other services, as per block 540.
  • External security offload device 104 may add security metadata including state data to the packet according to flow #3 of TABLE 1, as per block 545.
  • the external security offload device 104 sends the decapsulated, decrypted data packet back via the secure data link 105 back to the network software 183' in operating system 181 ', as per block 550.
  • the network software 183' in operating system 181 ' receives the decapsulated, decrypted data packet from the external security offload device 104, as per block 555 and performs a state check as per block 560.
  • the network software 183' in host IHS 103 then processes the data packet and forwards the data packet to application 182", as per block 565. This processing of the data packet by network software 183' may involve protocol and consistency checks prior to presentation of the data packet to application 182". The process flow ends with block 570.
  • the external security offload device 104 stores a copy of static SA information so that external security offload device 104 may decide on its own whether or not a security packet requires security processing.
  • the external security offload device 104 may store SA information.
  • the inbound in-band embodiment of Fig. 3 may require that the security offload device 104 store unchanging SA information, i.e.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)
PCT/IB2013/051061 2012-02-21 2013-02-08 Network node with network-attached stateless security offload device WO2013124758A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
GB1414604.7A GB2512807B (en) 2012-02-21 2013-02-08 Network node with network-attached stateless security offload device
DE112013000649.9T DE112013000649B4 (de) 2012-02-21 2013-02-08 Netzwerkknoten mit einer an das Netzwerk angeschlossenen zustandslosen Sicherheitsauslagerungseinheit
CN201380010353.3A CN104137508B (zh) 2012-02-21 2013-02-08 具有网络附接的无状态安全卸载装置的网络节点
JP2014553855A JP5746446B2 (ja) 2012-02-21 2013-02-08 ネットワーク付属のステートレス・セキュリティ・オフロード・デバイスを用いるネットワーク・ノード

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US13/400,577 2012-02-21
US13/400,575 2012-02-21
US13/400,575 US20130219167A1 (en) 2012-02-21 2012-02-21 Network node with network-attached stateless security offload device employing in-band processing
US13/400,577 US8918634B2 (en) 2012-02-21 2012-02-21 Network node with network-attached stateless security offload device employing out-of-band processing

Publications (1)

Publication Number Publication Date
WO2013124758A1 true WO2013124758A1 (en) 2013-08-29

Family

ID=49005080

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2013/051061 WO2013124758A1 (en) 2012-02-21 2013-02-08 Network node with network-attached stateless security offload device

Country Status (5)

Country Link
JP (1) JP5746446B2 (zh)
CN (1) CN104137508B (zh)
DE (1) DE112013000649B4 (zh)
GB (1) GB2512807B (zh)
WO (1) WO2013124758A1 (zh)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5847345B1 (ja) * 2015-04-10 2016-01-20 さくら情報システム株式会社 情報処理装置、認証方法及びプログラム
JP2017500822A (ja) * 2014-09-25 2017-01-05 小米科技有限責任公司Xiaomi Inc. 情報交信方法、装置および電子機器
JP2017527171A (ja) * 2014-07-29 2017-09-14 ヒューレット−パッカード デベロップメント カンパニー エル.ピー.Hewlett‐Packard Development Company, L.P. 認証マークの送信
JP2018502368A (ja) * 2014-12-09 2018-01-25 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation 共有されるネットワーク化された環境においてデータを記憶するための方法、ストレージ・サブシステム、クラウド・ストレージ・システム、データ処理プログラム、およびコンピュータ・プログラム製品(クラウド環境における機密データの自動化された管理)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105678553A (zh) * 2015-08-05 2016-06-15 腾讯科技(深圳)有限公司 一种处理订单信息的方法、装置和系统
US10225241B2 (en) * 2016-02-12 2019-03-05 Jpu.Io Ltd Mobile security offloader
WO2018112948A1 (zh) * 2016-12-23 2018-06-28 深圳前海达闼云端智能科技有限公司 区块生成方法、装置和区块链网络
JP6588048B2 (ja) * 2017-03-17 2019-10-09 株式会社東芝 情報処理装置
JP6518378B1 (ja) * 2018-12-21 2019-05-22 瀧口 信太郎 認証システム、認証方法、及び、認証プログラム
US10506426B1 (en) 2019-07-19 2019-12-10 Capital One Services, Llc Techniques for call authentication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101222509A (zh) * 2008-01-22 2008-07-16 中兴通讯股份有限公司 一种点对点网络的数据保护传输方法
US20090038004A1 (en) * 2007-07-31 2009-02-05 Gabor Blasko Role change based on coupling or docking of information handling apparatus and method for same
CN201788511U (zh) * 2010-08-18 2011-04-06 赵景壁 安全性信息交互设备

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7017042B1 (en) * 2001-06-14 2006-03-21 Syrus Ziai Method and circuit to accelerate IPSec processing
US20050060538A1 (en) * 2003-09-15 2005-03-17 Intel Corporation Method, system, and program for processing of fragmented datagrams
US7539858B2 (en) * 2004-04-05 2009-05-26 Nippon Telegraph And Telephone Corporation Packet encryption substituting device, method thereof, and program recording medium
JP2006041726A (ja) * 2004-07-23 2006-02-09 Matsushita Electric Ind Co Ltd 共有鍵交換システム、共有鍵交換方法及び方法プログラム
US8407778B2 (en) * 2005-08-11 2013-03-26 International Business Machines Corporation Apparatus and methods for processing filter rules
JP2007329730A (ja) * 2006-06-08 2007-12-20 Kawasaki Microelectronics Kk 通信プロトコル処理装置
JP2009230476A (ja) * 2008-03-24 2009-10-08 Toshiba Corp メッセージを処理する装置、方法およびプログラム
JP4906800B2 (ja) * 2008-07-02 2012-03-28 三菱電機株式会社 通信装置及び暗号通信システム及び通信方法及び通信プログラム
US8700892B2 (en) * 2010-03-19 2014-04-15 F5 Networks, Inc. Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion
JP5779434B2 (ja) * 2011-07-15 2015-09-16 株式会社ソシオネクスト セキュリティ装置及びセキュリティシステム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090038004A1 (en) * 2007-07-31 2009-02-05 Gabor Blasko Role change based on coupling or docking of information handling apparatus and method for same
CN101222509A (zh) * 2008-01-22 2008-07-16 中兴通讯股份有限公司 一种点对点网络的数据保护传输方法
CN201788511U (zh) * 2010-08-18 2011-04-06 赵景壁 安全性信息交互设备

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017527171A (ja) * 2014-07-29 2017-09-14 ヒューレット−パッカード デベロップメント カンパニー エル.ピー.Hewlett‐Packard Development Company, L.P. 認証マークの送信
JP2017500822A (ja) * 2014-09-25 2017-01-05 小米科技有限責任公司Xiaomi Inc. 情報交信方法、装置および電子機器
JP2018502368A (ja) * 2014-12-09 2018-01-25 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation 共有されるネットワーク化された環境においてデータを記憶するための方法、ストレージ・サブシステム、クラウド・ストレージ・システム、データ処理プログラム、およびコンピュータ・プログラム製品(クラウド環境における機密データの自動化された管理)
US10474830B2 (en) 2014-12-09 2019-11-12 International Business Machines Corporation Automated management of confidential data in cloud environments
US11062037B2 (en) 2014-12-09 2021-07-13 International Business Machines Corporation Automated management of confidential data in cloud environments
JP5847345B1 (ja) * 2015-04-10 2016-01-20 さくら情報システム株式会社 情報処理装置、認証方法及びプログラム

Also Published As

Publication number Publication date
GB2512807B (en) 2014-11-19
CN104137508A (zh) 2014-11-05
JP2015511434A (ja) 2015-04-16
JP5746446B2 (ja) 2015-07-08
DE112013000649T5 (de) 2014-11-06
CN104137508B (zh) 2017-07-07
GB201414604D0 (en) 2014-10-01
GB2512807A (en) 2014-10-08
DE112013000649B4 (de) 2020-11-19

Similar Documents

Publication Publication Date Title
US8826003B2 (en) Network node with network-attached stateless security offload device employing out-of-band processing
AU2021201714B2 (en) Client(s) to cloud or remote server secure data or file object encryption gateway
JP5746446B2 (ja) ネットワーク付属のステートレス・セキュリティ・オフロード・デバイスを用いるネットワーク・ノード
US11792169B2 (en) Cloud storage using encryption gateway with certificate authority identification
CN109150688B (zh) IPSec VPN数据传输方法及装置
US20130219171A1 (en) Network node with network-attached stateless security offload device employing in-band processing
US10250571B2 (en) Systems and methods for offloading IPSEC processing to an embedded networking device
KR101291501B1 (ko) 보안 네트워크 접속을 유지하기 위한 방법, 시스템 및컴퓨터 판독가능 매체
CA3066728A1 (en) Cloud storage using encryption gateway with certificate authority identification
WO2008108821A4 (en) Virtual security interface
EP3510803B1 (en) Secure link layer connection over wireless local area networks
US11539668B2 (en) Selective transport layer security encryption
JP3651424B2 (ja) 大規模IPSecVPN構築方法、大規模IPSecVPNシステム、プログラム及び鍵共有情報処理装置
US20080059788A1 (en) Secure electronic communications pathway
JP2004135134A (ja) 無線通信用アダプタ
US20230083034A1 (en) Selective transport layer security encryption
JP2005252464A (ja) 通信方法、通信端末装置およびゲートウェイ装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13751958

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2014553855

Country of ref document: JP

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 1414604

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20130208

WWE Wipo information: entry into national phase

Ref document number: 1414604.7

Country of ref document: GB

Ref document number: 1120130006499

Country of ref document: DE

Ref document number: 112013000649

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13751958

Country of ref document: EP

Kind code of ref document: A1