49 results about "Security Parameter Index" patented technology

A method and system for distributed network address translation with security features. The method and system allow Internet Protocol security protocol (“IPsec”) to be used with distributed network address translation. The distributed network address translation is accomplished with IPsec by mapping a local Internet Protocol (“IP”) address of a given local network device and a IPsec Security Parameter Index (“SPI”) associated with an inbound IPsec Security Association (“SA”) that terminates at the local network device. A router allocates locally unique security values that are used as the IPsec SPIs. A router used for distributed network address translation is used as a local certificate authority that may vouch for identities of local network devices, allowing local network devices to bind a public key to a security name space that combines a global IP address for the router with a set of locally unique port numbers used for distributed network address translation. The router issues security certificates and may itself be authenticated by a higher certificate authority. Using a security certificate, a local network device may initiate and be a termination point of an IPsec security association to virtually any other network device on an IP network like the Internet or an intranet. The method and system may also allow distributed network address translation with security features to be used with Mobile IP or other protocols in the Internet Protocol suite.

An initiating device: generates a message having an ISAKMP-based header that includes a security parameter index (SPI) field; identifies a key in the SPI field of the ISKMP-based header; and sends the message to a responding device. The responding device: receives the message; extracts the key identifier; and when a shared key is selected using the key identifier, uses the selected shared key to establish, with the initiating device, a session having a secure tunnel.

The present invention utilizes the AAA infrastructure to dynamically allocate the various parameters needed to establish the security association between the Foreign Agent and the Home Agent. The present invention uses the AAA server as a central entity to dynamically generate and distribute the chosen security association parameters needed to support the Foreign Agent and Home Agent security association based on a request from the Foreign Agent. The AAA server can also dynamically assigns a unique SPI value to the Foreign Agent and Home Agent pairs. The various parameters that can be allocated in the present invention include a FA-HA shared secret key or a public / private key pair, an authentication algorithm and mode, a FA-HA secret key lifetime, and security parameter index or security index values. The present invention also can assist in making sure that the Foreign Agent and the Home Agent stay synchronized with respect to their security association.

For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for distributing data messages among processors of a destination computer that receives encrypted data messages from a source computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. The encrypted data messages are received at multiple interfaces of the destination computer and in some embodiments, include an identifier for a set of encryption parameters (e.g., a security parameter index). The encryption-parameter-set identifier is used to distribute encrypted data messages among processors of the destination computer.

The present invention provides a method for realizing message passing through a network address translation device, including: S1, the intranet sends a message to the network address translation device, and the message carries the internal network IP address, the internal network security parameter index and the external network security Parameter index; S2. The network address translation device receives the message, and according to the internal network IP address carried in the message, the internal network security parameter index and the external network security parameter index and the public network Establish a mapping table for the IP address; S3. Convert the internal network IP address of the message to the public network IP address according to the mapping table, and send the message to the public network IP address through the public network IP address An external network device; the external network security parameter index is the security parameter index of the external network device. The present invention establishes NAT device address mapping, so that when the message in the IPSec tunnel performs NAT traversal, the port address translation can be performed without adding UDP.

In a communication session in which data flows with encrypted data packets pass through a monitoring intermediary for data traffic control. The encrypted data packets include SPIs (Secured Parameter Indexes) which are used to identify SAs (Security Associations) for data decryption. During the initial signaling process for the communication session, the nodes seeking the communication session include the SPIs in the signaling messages and send the signaling messages through the monitoring intermediary which in turn matches the SPIs of the signaling messages with the corresponding SPIs extracted from the data packets. In enforcing data traffic control, the monitoring intermediary allows data flows to pass through if comparison matches in the SPIs are found. Otherwise, the data flows are rejected.