公开(公告)号：US20160337398A1

公开(公告)日：2016-11-17

申请号：US14713588

申请日：2015-05-15

Applicant: Cisco Technology, Inc.

Inventor： Shuxian Lou ,  Jie Chu ,  Michael Fingleton ,  Hsia R. Yu

IPC: H04L29/06

CPC classification number: H04L63/1466 ,  H04L63/0272 ,  H04L63/164

Abstract: Processes and systems to create a plurality of sequence number spaces in a security association at a transmission device. Each sequence number space corresponds to a respective class of traffic. Each sequence number space is identified by a unique selector value. For each sequence number space, a sequence number counter is created for counting a sequence of outbound packets of a class of traffic corresponding to the sequence number space. For an outbound packet of a particular class of traffic, a selector value of a sequence number space of the particular class of traffic is written into a first portion of a sequence number field in the outbound packet. Low-order bits of the current value of a sequence number counter, associated with the sequence number space of the particular class of traffic, is written into a second portion of the sequence number field. The sequence number counter is then incremented.

Abstract translation: 在传输设备的安全关联中创建多个序列号空间的过程和系统。 每个序列号空间对应于相应的业务类别。 每个序列号空间由唯一的选择器值标识。 对于每个序列号空间，创建一个序列号计数器，用于对与序列号空间相对应的业务类别的出站分组序列进行计数。 对于特定类别的流量的出站分组，将特定业务类别的序列号空间的选择器值写入出站分组中的序列号字段的第一部分。 与特定流量类别的序列号空间相关联的序列号计数器的当前值的低位被写入序列号字段的第二部分。 然后将序列号计数器递增。

公开(公告)号：US11722525B2

公开(公告)日：2023-08-08

申请号：US17230675

申请日：2021-04-14

Applicant: Cisco Technology, Inc.

Inventor： Shuxian Lou ,  Jie Chu ,  Jonathan Rosen ,  Douglas Michael Toney ,  Harikrishnan Pillai ,  Feng Cao

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/2455

CPC classification number: H04L63/20 ,  G06F16/2455

Abstract: Techniques and mechanisms for IPsec processing of IPsec packets for routing platforms where IPsec is just one or more features in the middle of data path features on the packet processing path and hence, the typical, simple inline IPsec scheme does not work well for such platforms. The techniques include using a hardware look-up table for packet classification and inbound security association (SA) lookup in one pass with IP 5-tuple plus SPI as a lookup key at hardware table. The techniques provide an entry match action format and mechanism for deriving inbound SA dram addresses that may be used by a hardware (HW)/firmware (FW) crypto/IPsec engine to process inbound packet traffic. A software SA look-up table is also provided to overcome hardware look-up table resource limitations and support more IPsec session scaling than the physical hardware look-up table can handle. Additional techniques are described.

公开(公告)号：US20220337627A1

公开(公告)日：2022-10-20

申请号：US17230675

申请日：2021-04-14

Applicant: Cisco Technology, Inc.

Inventor： Shuxian Lou ,  Jie Chu ,  Jonathan Rosen ,  Douglas Michael Toney ,  Harikrishnan Pillai ,  Feng Cao

IPC: H04L29/06 ,  G06F16/2455

Abstract: Techniques and mechanisms for IPsec processing of IPsec packets for routing platforms where IPsec is just one or more features in the middle of data path features on the packet processing path and hence, the typical, simple inline IPsec scheme does not work well for such platforms. The techniques include using a hardware look-up table for packet classification and inbound security association (SA) lookup in one pass with IP 5-tuple plus SPI as a lookup key at hardware table. The techniques provide an entry match action format and mechanism for deriving inbound SA dram addresses that may be used by a hardware (HW)/firmware (FW) crypto/IPsec engine to process inbound packet traffic. A software SA look-up table is also provided to overcome hardware look-up table resource limitations and support more IPsec session scaling than the physical hardware look-up table can handle. Additional techniques are described.

公开(公告)号：US09667650B2

公开(公告)日：2017-05-30

申请号：US14713588

申请日：2015-05-15

Applicant: Cisco Technology, Inc.

Inventor： Shuxian Lou ,  Jie Chu ,  Michael Fingleton ,  Hsia R. Yu

IPC: H04L29/06

CPC classification number: H04L63/1466 ,  H04L63/0272 ,  H04L63/164

Abstract: Processes and systems to create a plurality of sequence number spaces in a security association at a transmission device. Each sequence number space corresponds to a respective class of traffic. Each sequence number space is identified by a unique selector value. For each sequence number space, a sequence number counter is created for counting a sequence of outbound packets of a class of traffic corresponding to the sequence number space. For an outbound packet of a particular class of traffic, a selector value of a sequence number space of the particular class of traffic is written into a first portion of a sequence number field in the outbound packet. Low-order bits of the current value of a sequence number counter, associated with the sequence number space of the particular class of traffic, is written into a second portion of the sequence number field. The sequence number counter is then incremented.

公开(公告)号：US09374340B2

公开(公告)日：2016-06-21

申请号：US14257047

申请日：2014-04-21

Applicant: Cisco Technology, Inc.

Inventor： Hong Xu ,  Brian Weis ,  Jie Chu ,  Sheela Rowles

IPC: G06F21/00 ,  H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/062

Abstract: First and second nested virtual private networks share a common rekey service. A first key server generates first cryptographic keys and policies for use by gateways of the VPN to encrypt and decrypt data packets. The key server establishes a connection with a second key server to generate second cryptographic keys and policies independently of the first key server for use by encryption units of a second VPN that is nested with and operates independently of the first VPN. The first key server refreshes the first cryptographic keys in the first VPN gateways using a common rekey service, and cooperates with the second key server to refresh the second cryptographic keys in the second VPN encryption units using the common rekey service.

Abstract translation: 第一个和第二个嵌套的虚拟专用网络共享一个通用的重新密钥服务。 第一个密钥服务器生成第一个加密密钥和策略，供VPN的网关使用，加密和解密数据包。 密钥服务器建立与第二密钥服务器的连接，以独立于第一密钥服务器生成第二加密密钥和策略，以供第二VPN的加密单元使用，该第二VPN与第一VPN嵌套并独立于第一VPN运行。 第一密钥服务器使用公共密钥服务刷新第一VPN网关中的第一加密密钥，并且与第二密钥服务器协作以使用公用密钥服务来刷新第二VPN加密单元中的第二加密密钥。

公开(公告)号：US20150304282A1

公开(公告)日：2015-10-22

申请号：US14257047

申请日：2014-04-21

Applicant: Cisco Technology, Inc.

Inventor： Hong Xu ,  Brian Weis ,  Jie Chu ,  Sheela Rowles

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/062

Abstract: First and second nested virtual private networks share a common rekey service. A first key server generates first cryptographic keys and policies for use by gateways of the VPN to encrypt and decrypt data packets. The key server establishes a connection with a second key server to generate second cryptographic keys and policies independently of the first key server for use by encryption units of a second VPN that is nested with and operates independently of the first VPN. The first key server refreshes the first cryptographic keys in the first VPN gateways using a common rekey service, and cooperates with the second key server to refresh the second cryptographic keys in the second VPN encryption units using the common rekey service.

Abstract translation: 第一个和第二个嵌套的虚拟专用网络共享一个通用的重新密钥服务。 第一个密钥服务器生成第一个加密密钥和策略，供VPN的网关使用，加密和解密数据包。 密钥服务器建立与第二密钥服务器的连接，以独立于第一密钥服务器生成第二加密密钥和策略，以供第二VPN的加密单元使用，该第二VPN与第一VPN嵌套并独立于第一VPN运行。 第一密钥服务器使用公共密钥服务刷新第一VPN网关中的第一加密密钥，并且与第二密钥服务器协作以使用公用密钥服务来刷新第二VPN加密单元中的第二加密密钥。