公开(公告)号：US07739728B1

公开(公告)日：2010-06-15

申请号：US11329854

申请日：2006-01-11

申请人： Edwin Koehler, Jr. ,  Sleiman Cherif

发明人： Edwin Koehler, Jr. ,  Sleiman Cherif

IPC分类号： H04L9/12

CPC分类号： H04L63/102 ,  H04L63/061 ,  H04L63/0853 ,  H04L63/164

摘要： End-to-end security is established automatically for network communications. In one embodiment a first host is associated with a policy manager that determines, for the first host, whether a secure session is permissible. If the secure session is determined to be permissible then the policy manager signals to intermediate devices in order to prompt establishment of SA/DA pinholes. In an alternative embodiment a neutral policy broker determines, for both first and second hosts, whether the secure session is permissible and signals to the intermediate devices to establish the pinholes if the secure session is permissible. In another embodiment the end-to-end session includes back-to-back tunnel mode sessions linked by at least one intermediate device. The intermediate device is operative to decrypt and re-encrypt traffic in the session, and may be configured by a policy manager or policy broker. Further, another security association can be nested in one or more segments of the session in a manner that permits one host to access a third host or secure resource which is shielded from the second host.

摘要翻译： 自动建立端到端安全的网络通信。 在一个实施例中，第一主机与策略管理器相关联，策略管理器为第一主机确定安全会话是否是允许的。 如果安全会话被确定为允许，则策略管理器向中间设备发信号，以便提示建立SA / DA针孔。 在替代实施例中，对于第一和第二主机，中立策略代理确定安全会话是否被允许，并且如果安全会话是允许的，则确定到中间设备的信号以建立针孔。 在另一个实施例中，端到端会话包括由至少一个中间设备链接的背对背隧道模式会话。 中间设备可操作以解密和重新加密会话中的业务，并且可以由策略管理器或策略代理进行配置。 此外，另一安全关联可以以允许一个主机访问与第二主机屏蔽的第三主机或安全资源的方式嵌套在会话的一个或多个段中。

公开(公告)号：US07653065B2

公开(公告)日：2010-01-26

申请号：US11474648

申请日：2006-06-26

申请人： Edwin Koehler, Jr.

发明人： Edwin Koehler, Jr.

IPC分类号： G06F9/34

CPC分类号： H04L61/251 ,  H04L29/12358 ,  H04L29/12801 ,  H04L45/04 ,  H04L61/6004

摘要： A method and system for transmitting packets having a first address length on a core network supporting a second address length, where the second address length is larger than the first address length by determining a length of the first address and establishing an offset to the first address such that a combined length of the offset, length of a network prefix for the second address and length of the first address equals the length of the second address. The method and system of the present invention can be implemented as an enhancement to existing network protocols such as IPv4, IPv6 and the like.

摘要翻译： 一种用于在支持第二地址长度的核心网上发送具有第一地址长度的分组的方法和系统，其中第二地址长度大于第一地址长度，通过确定第一地址的长度并建立到第一地址的偏移量 使得偏移的组合长度，用于第二地址的网络前缀的长度和第一地址的长度等于第二地址的长度。 本发明的方法和系统可以被实现为对诸如IPv4，IPv6等现有网络协议的增强。

公开(公告)号：US07764677B2

公开(公告)日：2010-07-27

申请号：US11524215

申请日：2006-09-20

申请人： Edwin Koehler, Jr. ,  Sergio Fiszman ,  Cherif Sleiman

发明人： Edwin Koehler, Jr. ,  Sergio Fiszman ,  Cherif Sleiman

IPC分类号： H04L12/28

CPC分类号： H04L61/2015 ,  H04L63/0815 ,  H04L63/20

摘要： The present invention advantageously provides a method, system and apparatus for allocating addresses to secure unique local networks by providing a brokered federated policy and identity management system, the brokered federated policy and identity management system having an address domain manager that allocates network addresses, the address domain manager arranged to interoperate with a network identity management module, the network identity management module providing management of identity at an application level, receiving an authorization from the brokered federated policy and identity management system, and assigning a network address to a unique local network based on the authorization from the brokered federated policy and identity management system. The method, system and apparatus may further include authenticating a user, wherein authenticating a user includes passing an assertion token to a device of the user. The method, system and apparatus may yet further include providing user policies to a policy enforcement point in a network.

摘要翻译： 本发明有利地提供了一种方法，系统和装置，用于通过提供经纪的联合策略和身份管理系统来分配地址以保护独特的本地网络，所述互联的联合策略和身份管理系统具有分配网络地址的地址域管理器，地址 域管理器被安排为与网络身份管理模块进行交互操作，网络身份管理模块提供在应用级别的身份管理，从经纪的联合策略和身份管理系统接收授权，并将网络地址分配给唯一的本地网络 经授权的联邦政策和身份管理系统。 方法，系统和装置还可以包括认证用户，其中认证用户包括将断言令牌传递给用户的设备。 该方法，系统和装置还可以进一步包括向网络中的策略执行点提供用户策略。

公开(公告)号：US08369329B2

公开(公告)日：2013-02-05

申请号：US11325064

申请日：2006-01-03

申请人： Edwin Koehler, Jr. ,  John Yoakum ,  Cherif Sleiman

发明人： Edwin Koehler, Jr. ,  John Yoakum ,  Cherif Sleiman

IPC分类号： H04L12/28 ,  G06F15/16

CPC分类号： H04L41/0806 ,  H04L12/4645 ,  H04L29/12009 ,  H04L29/12801 ,  H04L41/12 ,  H04L61/6004

摘要： A Dynamic Hierarchical Address Resource Management Architecture (DHARMA) coordinates a logical hierarchy of address spaces with a virtual topology of network elements using a manageable database environment. Address spaces are apportioned into hierarchical levels in accordance with a network policy. Network elements may be represented as objects, coupled via the logical address space. Both address space hierarchy definition and virtual topology modelling may occur independent from actual network deployment. As a result, multiple address space hierarchy definitions and virtual topologies can be pre-generated and stored for selective use during network deployment. With such an arrangement, a flexible addressing architecture is provided which may advantageously be used in any network that desires dynamic network configuration. The connection between the logical address hierarchy and the virtual network topology may advantageously be implemented through the use of a logical tag that links a virtual network element to a logical address hierarchy level.

摘要翻译： 动态分层地址资源管理体系结构（DHARMA）使用可管理的数据库环境来协调地址空间的逻辑层次结构和网络元素的虚拟拓扑结构。 地址空间根据网络策略分配到层次级别。 网络元素可以被表示为通过逻辑地址空间耦合的对象。 地址空间层次结构定义和虚拟拓扑建模都可能与实际网络部署无关。 因此，可以预先生成和存储多个地址空间层次结构定义和虚拟拓扑，以便在网络部署期间进行选择性使用。 通过这样的布置，提供了灵活的寻址架构，其可有利地用于期望动态网络配置的任何网络中。 可以有利地通过使用将虚拟网络元件链接到逻辑地址层次结构级别的逻辑标签来实现逻辑地址层次结构和虚拟网络拓扑之间的连接。

公开(公告)号：US08176525B2

公开(公告)日：2012-05-08

申请号：US11540272

申请日：2006-09-29

申请人： Edwin Koehler, Jr. ,  Cherif Sleiman ,  Timothy Mendonca

发明人： Edwin Koehler, Jr. ,  Cherif Sleiman ,  Timothy Mendonca

IPC分类号： H04L29/06

CPC分类号： H04L65/1069 ,  H04L63/102 ,  H04L63/105 ,  H04L65/1006

摘要： This invention provides a method, system and apparatus for allowing media context sensitive SIP signaling exchange (such as voice) and call establishment while denying or challenging any other session description protocol (“SDP”) extension dialogs which might not be desired (such as instant messaging, video, Web broadcasting or pushing, data and/or application sharing and the like) by a user. The method and apparatus may further include defining user client media policy preferences, the user media policy preferences establishing the parameters for evaluating a media session request received by a user client, and providing the user client media policy preferences to a policy enforcement point device, the policy enforcement point device evaluating the media session request received by the user client and applying the user client media policy preferences to the media session request. The method and apparatus may further include utilizing a user client portal to gain access to a media policy database, the media policy database providing storage for user client media policy preferences.

摘要翻译： 本发明提供一种用于允许媒体上下文敏感的SIP信令交换（例如语音）和呼叫建立的方法，系统和装置，同时拒绝或挑战可能不需要的任何其他会话描述协议（“SDP”）扩展对话（例如即时 消息，视频，网络广播或推送，数据和/或应用共享等）。 该方法和装置还可以包括定义用户客户端媒体策略偏好，用户媒体策略偏好，建立用于评估由用户客户端接收的媒体会话请求的参数，以及向策略执行点设备提供用户客户端媒体策略偏好， 策略执行点设备评估由用户客户端接收的媒体会话请求，并将用户客户端媒体策略偏好应用于媒体会话请求。 所述方法和装置还可以包括利用用户客户门户来访问媒体策略数据库，所述媒体策略数据库为用户客户端媒体策略偏好提供存储。