Method and system for traffic engineering in secured networks
US-2016080335-A1 · Mar 17, 2016 · US
Transport relay in communications network
US10904219B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10904219-B2 |
| Application number | US-201616080344-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 2, 2016 |
| Priority date | Mar 2, 2016 |
| Publication date | Jan 26, 2021 |
| Grant date | Jan 26, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A relay-proxy device has first and second interfaces allowing connection to a first node and a second node respectively, wherein the relay-proxy device is configured with at least one key, and the relay-proxy device is operable to: receive a traffic flow in an encrypted transport protocol on the first interface; decrypt a first part of the traffic flow with said key, wherein a second part of the traffic flow cannot be decrypted with said key; perform a management function based on a content of the decrypted first part of the traffic flow; and forward at least the second part of the encrypted traffic flow to the second interface.
First claim
Opening claim text (preview).
The invention claimed is: 1. A relay-proxy device comprising a processor and a memory, the memory containing instructions executable by the processor, such that the relay-proxy device is configured to: receive a traffic flow in an encrypted transport protocol on a first interface of the relay-proxy device, wherein the first interface allows connection to a first node; decrypt a first part of the traffic flow with at least one key with which the relay-proxy device is configured, wherein a second part of the traffic flow cannot be decrypted with said at least one key; perform a management function based on a content of the decrypted first part of the traffic flow; and forward at least the second part of the traffic flow to a second interface of the relay-proxy device, wherein the second interface allows connection to a second node. 2. The relay-proxy device as claimed in claim 1 further configured to: re-encrypt the first part of the traffic flow with said at least one key; and forward the re-encrypted first part of the traffic flow to the second interface. 3. The relay-proxy device as claimed in claim 1 further configured to terminate the first part of the traffic flow, wherein the relay-proxy device is configured to forward only the second part, not the first part, of the traffic flow to the second interface of the relay-proxy device. 4. The relay-proxy device as claimed in claim 1 wherein the relay-proxy device is configured with the at least one key by requesting the at least one key from one of the first node and second node. 5. The relay-proxy device as claimed in claim 1 wherein the first node is a client node and the second node is an origin server. 6. The relay-proxy device as claimed in claim 1 wherein the traffic flow received on the first interface is all traffic from the first node to the second node. 7. The relay-proxy device as claimed in claim 1 wherein the traffic flow received on the first interface is at least a part of traffic from the first node to the second node. 8. The relay-proxy device as claimed in claim 1 wherein the relay-proxy device is configured with a plurality of keys, and wherein the relay-proxy device is further configured to: decrypt parts of the first part of the traffic flow with said plurality of keys. 9. The relay-proxy device as claimed in claim 1 wherein the at least one key has a predetermined life span. 10. The relay-proxy device as claimed in claim 1 further configured to append new frames to the traffic flow. 11. The relay-proxy device of claim 1 , wherein the first part of the traffic flow and the second part of the traffic flow comprise different fields of the encrypted transport protocol. 12. The relay-proxy device of claim 1 , wherein the second part of the traffic flow is encrypted with a separate set of one or more keys which is separate from a transport protocol security session associated with the traffic flow, wherein the at least one key with which the first part of the traffic flow is decrypted is included in the transport protocol security session, and wherein the relay-proxy device is not configured with the separate set of one or more keys. 13. A method of operation of a relay-proxy device, wherein the relay-proxy device has first and second interfaces allowing connection to a first node and a second node respectively, and wherein the relay-proxy device is configured with at least one key, the method comprising: receiving a traffic flow in an encrypted transport protocol on the first interface; decrypting a first part of the traffic flow with said at least one key, wherein a second part of the traffic flow cannot be decrypted with said at least one key; performing a management function based on a content of the decrypted first part of the traffic flow; and forwarding at least the second part of the traffic flow to the second interface. 14. The method as claimed in claim 13 further comprising: re-encrypting the first part of the traffic flow with said at least one key; and forwarding the re-encrypted first part of the traffic flow to the second interface. 15. A first network node configured for use in a communication system further comprising a second node and a relay-proxy device connected between the first node and the second node, the first network node comprising a processor and a memory, the memory containing instructions executable by the processor, such that the first network node is configured to: transmit a first part of a traffic flow from the first node through the relay-proxy device to the second node in an encrypted form, wherein the relay-proxy device is configured with at least one key for decryption of the first part of the traffic flow; and transmit a second part of the traffic flow from the first node through the relay-proxy device to the second node, wherein the traffic flow is in an encrypted transport protocol such that the relay-proxy device is unable to decrypt the second part of the traffic flow. 16. The first network node as claimed in claim 15 , configured to encrypt the first part of the traffic flow with a first encryption key and encrypt the second part of the traffic flow with a second encryption key. 17. The first network node as claimed in claim 16 , further configured to: send a first key to the relay-proxy device to allow decryption of the first part of the traffic flow; and refrain from sending to the relay-proxy device a second key that allows decryption of the second part of the traffic flow. 18. The first network node as claimed in claim 17 , further configured to: send a first key and a second key to the second node to allow decryption of the first and second parts of the traffic flow. 19. The first network node as claimed in claim 18 , wherein the first key and/or the second key has a predetermined life span. 20. The first network node as claimed in claim 15 , wherein the first network node is an origin server. 21. The first network node of claim 15 , wherein the first part of the traffic flow and the second part of the traffic flow comprise different fields of the encrypted transport protocol. 22. The first network node of claim 15 , wherein the second part of the traffic flow is encrypted with a separate set of one or more keys which is separate from a transport protocol security session associated with the traffic flow, wherein the at least one key for decryption of the first part of the traffic flow is included in the transport protocol security session, and wherein the first network node does not provide the separate set of one or more keys to the relay-proxy device. 23. A method of operation of a first network node in a communication system further comprising a second node and a relay-proxy device connected between the first node and the second node, the method comprising: transmitting a first part of a traffic flow from the first node through the relay-proxy device to the second node in an encrypted form, wherein the relay-proxy device is configured with at least one key for decryption of the first part of the traffic flow; and transmitting a second part of the traffic flow from the first node through the relay-proxy device to the second node, wherein the traffic flow is in an encrypted transport protocol such that the relay-proxy device is unable to decrypt the second part of the traffic flow. 24. The method as claimed in claim 23 , comprising encrypting the first part of the traffic flow with a first
Assignees
Inventors
Classifications
using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it · CPC title
applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key (cryptographic mechanisms or cryptographic arrangements using a plurality of keys or algorithms H04L9/14) · CPC title
Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up · CPC title
- H04L63/0281Primary
Proxies · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10904219B2 cover?
- A relay-proxy device has first and second interfaces allowing connection to a first node and a second node respectively, wherein the relay-proxy device is configured with at least one key, and the relay-proxy device is operable to: receive a traffic flow in an encrypted transport protocol on the first interface; decrypt a first part of the traffic flow with said key, wherein a second part of th…
- Who is the assignee on this patent?
- Ericsson Telefon Ab L M
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0281. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 26 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).