IPSEC anti-relay window with quality of service
US-10798071-B2 · Oct 6, 2020 · US
IPsec anti-replay window with quality of service
US11509639B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11509639-B2 |
| Application number | US-202017023224-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 16, 2020 |
| Priority date | Jul 31, 2017 |
| Publication date | Nov 22, 2022 |
| Grant date | Nov 22, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method comprising: receiving an Internet protocol security (IPsec) packet; determining a quality of service (QoS) level of the IPsec packet, wherein the QoS level has an assigned security parameter index of a security association with a least one network endpoint; in response to determining a QoS level, selecting an anti-replay window based on the QoS level; and in response to selecting the anti-replay window, processing the IPsec packet based on the anti-replay window. 2. The method of claim 1 , further comprising: establishing the security association with the at least one network endpoint. 3. The method of claim 2 , wherein the security association includes a plurality of security parameter indexes (SPI), including the assigned security parameter index assigned to the QoS level. 4. The method of claim 1 , wherein the anti-replay window a sliding window of sequence numbers. 5. The method of claim 4 , further comprising: determining that the IPsec packet has a sequence number within of the sliding window; and in response to the sequence number being within the sliding window, processing the IPsec packet. 6. The method of claim 4 , further comprising: determining that the IPsec packet has a sequence number outside of the sliding window; and in response to the sequence number being greater than the sliding window, processing the IPsec packet and moving the sliding window to include the sequence number, or in response to the sequence number being less than the sliding window, dropping the IPsec packet. 7. The method of claim 1 , wherein the IPsec packet is a data packet encrypted based on the QoS level. 8. A network device comprising: at least one processor; and at least one memory, storing instructions, which when executed causes the at least one processor to: receive an Internet protocol security (IPsec) packet; determine a quality of service (QoS) level of the IPsec packet, wherein the QoS level has an assigned security parameter index of a security association with a least one network endpoint; in response to determining a QoS level, select an anti-replay window based on the QoS level; and in response to selecting the anti-replay window, process the IPsec packet based on the anti-replay window. 9. The network device of claim 8 , further comprising instructions which when executed causes the at least one processor to: establish the security association with the at least one network endpoint. 10. The network device of claim 9 , wherein the security association includes a plurality of security parameter indexes (SPI) including the assigned security parameter index assigned to the QoS level. 11. The network device of claim 8 , wherein the anti-replay window a sliding window of sequence numbers. 12. The network device of claim 11 , further comprising instructions which when executed causes the at least one processor to: determine that the IPsec packet has a sequence number within of the sliding window; and in response to the sequence number being within the sliding window, process the IPsec packet. 13. The network device of claim 11 , further comprising instructions which when executed causes the at least one processor to: determine that the IPsec packet has a sequence number outside of the sliding window; and in response to the sequence number being greater than the sliding window, process the IPsec packet and moving the sliding window to include the sequence number, or in response to the sequence number being less than the sliding window, drop the IPsec packet. 14. The network device of claim 8 , wherein the IPsec packet is a data packet encrypted based on the QoS level. 15. At least one non-transitory computer readable medium, storing instructions, which when executed causes the at least one processor to: receive an Internet protocol security (IPsec) packet; determine a quality of service (QoS) level of the IPsec packet, wherein the QoS level has an assigned security parameter index of a security association with a least one network endpoint; in response to determining a QoS level, select an anti-replay window based on the QoS level; and in response to selecting the anti-replay window, process the IPsec packet based on the anti-replay window. 16. The at least one non-transitory computer readable medium of claim 15 , further comprising instructions which when executed causes the at least one processor to: establish the security association with at the least one network endpoint. 17. The at least one non-transitory computer readable medium of claim 16 , wherein the security association includes a plurality of security parameter indexes (SPI), including the assigned security parameter index assigned to the QoS level. 18. The at least one non-transitory computer readable medium of claim 15 , wherein the anti-replay window a sliding window of sequence numbers. 19. The at least one non-transitory computer readable medium of claim 18 , further comprising instructions which when executed causes the at least one processor to: determine that the IPsec packet has a sequence number within of the sliding window; and in response to the sequence number being within the sliding window, process the IPsec packet. 20. The at least one non-transitory computer readable medium of claim 18 , further comprising instructions which when executed causes the at least one processor to: determine that the IPsec packet has a sequence number outside of the sliding window; and in response to the sequence number being greater than the sliding window, process the IPsec packet and moving the sliding window to include the sequence number, or in response to the sequence number being less than the sliding window, drop the IPsec packet.
Assignees
Inventors
Classifications
Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks · CPC title
- H04L63/0485Primary
Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title
- H04L63/0236Primary
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11509639B2 cover?
- In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), whe…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0485. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 22 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).