-
1.发明申请SELECTIVELY LOADING SECURITY ENFORCEMENT POINTS WITH SECURITY ASSOCIATION INFORMATION 审中-公开选择性地使用安全关联信息加载安全强制执行点
公开(公告)号:WO2009080462A3
公开(公告)日:2009-09-24
申请号:PCT/EP2008066824
申请日:2008-12-04
Applicant: IBM , IBM UK , JONG WUCHIEH JAMES , MEYER CHRISTOPHER , OVERBY LINWOOD HUGH JR
Inventor: JONG WUCHIEH JAMES , MEYER CHRISTOPHER , OVERBY LINWOOD HUGH JR
IPC: H04L29/06
CPC classification number: H04L63/0428 , H04L63/062 , H04L63/164
Abstract: A method, network element, and computer storage program product, are provided for selectively loading a communication network security enforcement point ('SEP') with security association ('SA') information for inspection of encrypted data in a secure, end-to-end communications path. At least one encrypted data packet is received. It is determined that SA information for decrypting the at least one encrypted data packet fails to exist locally at the SEP. A request is sent to a communication network key server for SA information associated with the at least one encrypted data packet. The SA information associated with the at least one encrypted data packet is received from the communication network key server.
Abstract translation: 提供了一种方法,网络元件和计算机存储程序产品,用于选择性地加载具有安全关联('SA')信息的通信网络安全执行点('SEP'),用于在安全, 终端通信路径。 至少收到一个加密的数据包。 确定用于解密所述至少一个加密数据分组的SA信息在SEP处本地存在。 向通信网络密钥服务器发送请求以获取与至少一个加密数据分组相关联的SA信息。 从通信网络密钥服务器接收与至少一个加密数据分组相关联的SA信息。
-
-
公开(公告)号:CA2602778C
公开(公告)日:2014-04-01
申请号:CA2602778
申请日:2006-04-07
Applicant: IBM
Abstract: Preventing duplicate sources on a protocol connection that uses network addresses, protocols and port numbers to identify source applications that are served by a NAPT. If an arriving packet encapsulates an encrypted packet and has passed through an NAPT en route to the destination host, the encapsulated packet is decrypted to obtain an original source port number and original packet protocol from the decrypted packet. A source port mapping table (SPMT) is searched for an association between the NAPT source address, the original source port, and the original packet protocol associated with the NAPT source address and port number. If an incorrect association is found, the packet is rejected as representing an illegal duplicate source; that is, a second packet from a different host served by a NAPT that is USING the same SOURCE port and protocol.
-
公开(公告)号:CA2602789A1
公开(公告)日:2006-10-19
申请号:CA2602789
申请日:2006-04-07
Applicant: IBM
Abstract: Preventing duplicate sources in a network that uses network address port translation on an established connection. In response to receiving an inbound packet at a destination host, input values are obtained therefrom and used to consult a mapping. If no match is found, a translation is performed, whereby a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected.
-
公开(公告)号:CA2602789C
公开(公告)日:2015-10-06
申请号:CA2602789
申请日:2006-04-07
Applicant: IBM
Abstract: Preventing duplicate sources on a protocol connection that uses network addresses, protocols and port numbers to identify connections that include port number translation. In response to an inbound IPsec packet from a remote source client, a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected.
-
Patent Agency Ranking
公开(公告)号:CA2229399A1
公开(公告)日:1998-08-19
申请号:CA2229399
申请日:1998-02-13
Applicant: IBM
Inventor: RAJARAMAN BALA , GUGLIOTTA DALE C , LONG LYNN DOUGLAS , OVERBY LINWOOD HUGH JR , CAMPBELL SCOTT ALLAN , MIYAKE MASASHI E
Abstract: Management of the processing of relatively large data objects in a communications stack having multiple layers improves the performance in a communications system in preparing relatively large data objects for transmission across a communications network. This reduces or eliminates data movement and copying during segmentation of the relatively large data objects into relatively small data objects, and appendage of headers to the relatively small data object segments during processing in the communications stack. A shared storage manager creates and controls multiple tokens representing multiple images of portions of the relatively large data objects to enable separate scheduling of the multiple images from the same storage unit or buffer to be passed from one layer in a communications stack to the next lower layer in the communications stack. The large data object is segmented into a plurality of relatively small data object segments at one or more of the layers in the communications stack. When dictated by the communications stack, header segments are also created for each relatively small data object segment. Each header segment contains specific information for the relatively small data object segment to which the header corresponds. A separate buffer list is generated by the communications stack for each relatively small data object segment and for each corresponding header segment.
-
公开(公告)号:CA2227366A1
公开(公告)日:1998-08-19
申请号:CA2227366
申请日:1998-01-16
Applicant: IBM
Inventor: STAGG ARTHUR JAMES , RAJARAMAN BALA , CAMPBELL SCOTT ALLAN , MIYAKE MASASHI E , GUGLIOTTA DALE C , MENDITTO LOUIS , LONG LYNN DOUGLAS , OVERBY LINWOOD HUGH JR
Abstract: Management of datastream construction prior to transmission of the datastream ac ross a channel of a communications system by providing for data blocking while reducing movement or copying of the data improves the performance in a communications system. Multipl e header segments received from a higher layer in the communications stack are copied int o the datastream header area of a datastream such that the header segments are sequentially store d in the datastream header area. A datastream buffer list having entries referencing the datastream header area is generated. Buffer list entries referencing data segments received from higher la yers in the communications stack are also stored in the datastream buffer list. The data seg ments are not physically moved or copied into the datastream during processing by the communic ations stack. Rather, a "virtual" datastream is generated by the communications stack for tran smission without physically moving or copying the data segment. The datastream is transmitted acr oss the channel by the system input/output interface by first writing the datastream header area re ferenced by the datastream buffer list directly into the channel, and the data segments directly from their original storage location into the channel of the communications system using the datastr eam buffer list entries.
-
8.发明专利
公开(公告)号:BRPI0607515A2
公开(公告)日:2016-10-25
申请号:BRPI0607515
申请日:2006-04-07
Applicant: IBM
Inventor: WIERBOWSKI DAVID JOHN , PORTER JOYCE ANNE , OVERBY LINWOOD HUGH JR , JAKUBIK PATRICIA
Abstract: impedir fontes duplicadas de clientes servidos por um tradutor de porta de endereço de rede. impedir fontes duplicadas em uma conexão de protocolo que usa endereços de rede, protocolos e números de portas para identificar as aplicações de fonte que são servidas por um napt. se um pacote que chega encapsula um pacote codificado e passou por um napt em rota para o host de destino, o pacote encapsulado é descriptografado para obter um número de porta fonte original e um protocolo de pacote original do pacote descriptografado. uma tabela de mapeamento de porta fonte (spmt) é buscada por uma associação entre o endereço da fonte do napt, a porta original da fonte e o protocolo do pacote original associado com o endereço da fonte do napt e o número de porta. se uma associação incorreta é encontrada, o pacote é rejeitado como a representação de uma fonte duplicada ilegal; isto é, um segundo pacote de um host diferente servido por um napt que usando a mesma porta fonte e protocolo.
-
公开(公告)号:BRPI0607516A2
公开(公告)日:2012-01-17
申请号:BRPI0607516
申请日:2006-04-07
Applicant: IBM
Inventor: JAKUBIK PATRICIA , PORTER JOYCE ANNE , WIERBOWSKI DAVID JOHN , OVERBY LINWOOD HUGH JR
Abstract: Preventing duplicate sources in a network that uses network address port translation on an established connection. In response to receiving an inbound packet at a destination host, input values are obtained therefrom and used to consult a mapping. If no match is found, a translation is performed, whereby a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected.
-
公开(公告)号:DE602006012644D1
公开(公告)日:2010-04-15
申请号:DE602006012644
申请日:2006-04-07
Applicant: IBM
Inventor: JAKUBIK PATRICIA , OVERBY LINWOOD HUGH JR , PORTER JOYCE ANNE , WIERBOWSKI DAVID JOHN
Abstract: Preventing duplicate sources in a network that uses network address port translation on an established connection. In response to receiving an inbound packet at a destination host, input values are obtained therefrom and used to consult a mapping. If no match is found, a translation is performed, whereby a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected.
-
-
-
-
-
-
-
-
-
Search Results
12
records
(took 0.023 seconds)
