82 results about "IP fragmentation" patented technology

A system for transmitting and receiving TCP / IP data packets using a hardware engine is provided. The system includes an inbound MAC Receive state machine for processing MAC frames received from a network; an inbound IP verifier state machine for verifying IP packet headers; an inbound IP fragment processing state machine for processing and reassembling IP fragments; and an inbound TCP state machine for processing TCP segments received from an IP layer. The system also includes an outbound MAC Transmit state machine that sends MAC frames to a network; an outbound IP state machine that processes IP data to be passed to a MAC layer for transmission; and an outbound TCP state machine that processes TCP data to be passed to the IP layer for transmission.

Network endpoints using TCP / IP operate to determine the maximum transmission unit (MTU) of the path between them. This determination is done so as to avoid the expensive IP fragmentation that will occur when transitioning links with a smaller MTU size. The standard method of determining the path MTU (PMTU) has several known deficiencies, including: inefficient use of bandwidth as proper operation will likely result in the loss of one or more packets and difficulty of implementation as the reverse channel communication mechanism, reception of ICMP messages indicating the discarding of unfragmentable packets, is frequently blocked by firewalls and other security apparatus. A method of determining the PMTU between intermediate proxies is disclosed that does not require reception of ICMP messages or the inefficient use of bandwidth due to the presumed dropping of packets with valid data.

Data structures, a method, and an associated transmission system for IP fragmentation and IP reassembly on network processors in order to minimize memory allocation requirements. Frame data for IP fragmentation or reassembly on a network processor is read into buffers to which are associated various control structures. The control structures permit IP fragmentation or reassembly to be accomplished without creating multiple copies of the frame or fragments.

Network endpoints using TCP / IP operate to determine the maximum transmission unit (MTU) of the path between them. This determination is done so as to avoid the expensive IP fragmentation that will occur when transitting links with a smaller MTU size. The standard method of determining the path MTU (PMTU) has several known deficiencies, including: inefficient use of bandwidth as proper operation will likely result in the loss of one or more packets and difficulty of implementation as the reverse channel communication mechanism, reception of ICMP messages indicating the discarding of unfragmentable packets, is frequently blocked by firewalls and other security apparatus. A method of determining the PMTU between intermediate proxies is disclosed that does not require reception of ICMP messages or the inefficient use of bandwidth due to the presumed dropping of packets with valid data.

A local area network includes computers and peripherals networked in a high-speed LAN with access to a WAN through a slower connection via a broadband modem. A LAN gateway device manages data traffic between the local computers and peripherals and between the LAN and the WAN. The LAN gateway device provides multiple features, such as wired or wireless links, security, firewall, NAT, DCHP, traffic management, and the like. Traffic management features include an automatic quality of service priority classification scheme. A quality of service module automatically assigns priorities to the data streams based on analysis of the data packets. A configuration access list can be provided with pre-configured priorities for some streams. Initially, all streams are given highest priority and subsequently the priority is automatically adapted to the results of the packet analysis. Traffic shaping techniques control the LAN gateway upstream output and enable IP fragmentation of TCP packets according to measured upstream channel conditions.

A local area network includes computers and peripherals networked in a high-speed LAN with access to a WAN through a slower connection via a broadband modem. A LAN gateway device manages data traffic between the local computers and peripherals and between the LAN and the WAN. The LAN gateway device provides multiple features, such as wired or wireless links, security, firewall, NAT, DCHP, traffic management, and the like. Traffic management features include an automatic quality of service priority classification scheme. A quality of service module automatically assigns priorities to the data streams based on analysis of the data packets. A configuration access list can be provided with pre-configured priorities for some streams. Initially, all streams are given highest priority and subsequently the priority is automatically adapted to the results of the packet analysis. Traffic shaping techniques control the LAN gateway upstream output and enable IP fragmentation of TCP packets according to measured upstream channel conditions.

A local area network includes computers and peripherals networked in a high-speed LAN with access to a WAN through a slower connection via a broadband modem. A LAN gateway device manages data traffic between the local computers and peripherals and between the LAN and the WAN. The LAN gateway device provides multiple features, such as wired or wireless links, security, firewall, NAT, DCHP, traffic management, and the like. Traffic management features include an automatic quality of service priority classification scheme. A quality of service module automatically assigns priorities to the data streams based on analysis of the data packets. Traffic shaping techniques control the LAN gateway upstream output and enable IP fragmentation of TCP packets according to measured upstream channel conditions. The traffic shaping techniques estimate available upstream data rate, available downstream data rate, and the size of datagrams being used on the network link.

Data structures, a method, and an associated transmission system for IP fragmentation and IP reassembly on network processors in order to minimize memory allocation requirements. Frame data for IP fragmentation or reassembly on a network processor is read into buffers to which are associated various control structures. The control structures permit IP fragmentation or reassembly to be accomplished without creating multiple copies of the frame or fragments.

Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.

The invention relates to a method for reducing the number of data IP fragments in packet domain network, and its kernel: packet network device regulates MSS parameter value of maximum transfer unit carried in TCP connection information between terminal and service according to the set MSS parameter threshold and sends out the regulated TCP connection information; the terminal or server learns a longest message segment length supported by the opposite terminal through MSS parameter carried in the TCP connection information, and compares this longest message segment length with its own longest message segment length, and selects the smaller value to make segment handling on TCP transfer data. And the invention can reduce IP packet fragments between packet network devices by regulating MSS parameter value, reduce data packet handling delay and improve packet device handling ability.

This invention relates to a method for reassembling IP segment messages and allocating service when using a single IP address to realize service by dividing the distributed system in logic into an interface module, a reassembling module part and service module part, the reassembling module finishes the reassembling of IP segment messages to assign the IP segment messages to assign the IP segment messages into multiple reassembling modules uniformly and cheaply and avoid IP segment message reassembling neck in the single IP address distributed process system.

The invention relates to network communication field, in particular to an IP fragment. The method comprises the steps of: obtaining IP message head length and IP message data content length; according to the IP message head length, IP message data content length and the value of maximum transmission unit MTU, calculating the fragmented IP message data content length; the fragmented IP message data content length is less than the maximum fragment length; the maximum fragment length is the maximum value in all the values; the value is not more than the difference between the value of the MTU and the IP message head length; the value is integral multiple of 8-byte; fragmenting the IP message according to the IP message data content length. Utilizing the technical proposal provided by the embodiment of the invention, because the fragmented IP message data content length is less than the maximum fragment length, the length of IP message routing, then adding with tunnel head is possibly less than MTU, thereby reducing IP fragment times and amounts.

The present invention relates to a method for improving IP fragmentation and transmission of user payload between a User Equipment, UE 10, and a Peer Node, PN 14. The payload is transmitted through a transmission path enabled by at least a first 17,18 and a second 17,18 established tunnel, said tunnels connecting a first 11, 13 and a second 11,13 node in a Packet Core Network, PCN. The method comprises the steps of:The first node 11,13 fragments 19 at least one received payload packet 15 into fragments 16 on the basis of a minimum Maximum Transmission Unit, MTU, for an upper IP layer of the transmission path.The first node 11,13 encapsulates 20 said fragments at the entry of the first tunnel 17,18. What particularly characterizes the method is that it further comprises a step where the first node 11,13 determines 21 the MTU for the upper IP layer of the transmission path on the basis of an MTU of a lower IP layer of the transmission path and on the basis of the size of at least one additional tunnel header for the encapsulated fragments 16.

The invention discloses a network garbage information filtering method supported by multiprotocols and based on the transparent bridge, and a device, which belongs to the information security domain. The method and the device comprise a transparent bridge, data packet redirection, IP packet receiving and reinjecting, protocol analysis, a multi-thread scheduling analysis module and filtering modules (such as a mail filtering module and a short message filtering module, etc.) of various protocols. The method and the device adopt the technical proposal that the related information in the network is detained on the well-built linux transparent bridge by using iptables / netfilter, then ip lamination processing is completed, tcp data stream is restored, and complete network information is obtained and stored in a double-buffering queue; then the worker thread in a thread-scheduling awakened thread pool retrieves information form the double-buffering queue, and different filtering modules are invoked for filtering; the information is discarded when being judged as the garbage information, otherwise, the information is released. The device can be positioned at the front end of the gateway of a large and medium-sized enterprise or deployed at the front end of a border router for filtering the network information.

A fragmentation repetition detection apparatus (410) for detecting an IP fragmentation repetition which may occur in a multicast or unicast environment is provided. The fragmentation repetition detection apparatus (410) includes a packet capturing unit (411) which captures a received packet, a fragmentation repetition detector which detects whether or not the captured packet is a packet which is repetitively fragmented, and a path maximum transmission unit (PMTU) transmitter (414) which transmits PMTU information acquired by the fragmentation repetition detector (412) to a server which transmits the packet when the captured packet is a packet which is repetitively fragmented. Since a packet is transmitted by readjusting a PMTU, a fragmentation of an IP packet can be prevented.

A network address-port translation (NAPT) apparatus and method for IP packets with a same identification is disclosed. The IP packets at least include a first packet with Layer 4 information and a second packet without Layer 4 information. The NAPT apparatus includes: a packet translation unit for performing a NAPT operation for the first packet to generate a translation IP; and a translation table for storing a correspondence between the same identification and the translation IP. The packet translation unit translates one of a source IP and a destination IP of the second packet into the translation IP according to a forwarding direction of the second packet and the translation table.

The method includes procedures: when processing first IP banding, network device of starting use of Internet secure protocol picks up information for unique identifying the IP message from the IP banding; then, building mapping from the information to relevant security policy; when processing other bandings of the IP message, Internet secure protocol maps to relevant security policy through the said unique information so as to implement process in high speed for the IP banding by the Internet secure protocol. Comparing with prior art, the invention overcomes disadvantages of using lots of memory, weighting process burden of gateway, lowering network throughput. The invention raises service range supported by network device, and guarantees high forwarding performance of network device.

The embodiment of the invention provides a method and device for data distribution. The method comprises the steps of dividing an IP data package into a plurality of IP fragmentation data packages according to the distribution proportion, and respectively conducting transmission on the IP fragmentation data packages on a plurality of data links according to the distribution proportion. According to the distribution proportion, the IP data package is divided into the plurality of IP fragmentation data packages having the same identifying information of the IP data package, diversion transmission is carried out on the IP fragmentation data packages according to the distribution proportion, and therefore the IP fragmentation technology and the IP recombinant technology in the IP can be fully utilized for flexibly achieving data distribution. In addition, the scheme can be flexibly deployed on any distribution nodes, ad network sources of a plurality of paths of the distribution nodes can be fully utilized for conducting data transmission.

The invention provides a method, device and equipment for processing messages, and relates to the field of computers. The method, device and equipment for processing the messages can enable a TOE network card to support the processing to IP fragmentation messages and achieve the hardware TOE uninstall of the fragmentation messages, and improve the response performance and the transmission performance of a network. The method comprises the steps that firstly, the TOE network card of a TCP uninstall engine receives a first message, if the first message is a fragmentation message, the first message is moved to a mainframe shared memory, the first message is then reassembled through a TOE drive to generate a second message, the second message is moved to a TOE network memory, TOE uninstall is then carried out on the second message, and lastly, data after the TOE uninstall are handed to a system upper layer unit for processing. The method, device and equipment for processing the messages is used for message processing.

The invention discloses a method for preventing the fragment attack of an IP (Internet Protocol) datagram, relating to the technical field of network security. In the method, fragment messages of the received IP datagram are temporarily recombined before reaching a corresponding processing module; and in the process of temporary recombination, if the number of the fragment messages belonging to the same IP datagram exceeds a fragment threshold, the IP datagram is discarded. In the invention, by storing each IP fragment message in a cache and virtually recombining the fragments, the original datagram can be detected. Thus, network equipment can verify the sequence and integrality of each fragment and discover the hostile attack performed by utilizing the fragments, thereby more effectively preventing the IP fragment message attack.

This invention discloses a method for packaging IP slice messages in general routes including:1, setting the maximum byte number of transmission IP messages of the last stage nodes before the central node necessary to package message in general routes let it smaller than or equal to the diference between the maximum transmission message byte and the general route packaged message head byte of said middle node, 2, the middle node receives said message to judge if the message is a slice one, if not, it cuts in the general route package message head before the message net charge and modifies the value of related field in the IP head of said non-sliced message to guarantee the correctness of it, if it is the slice message, then it judges if it is the first slice, if so, it treats it according to the mode for processing non-sliced messages, if it is not the first one, it modifies the value of related field in the IP head to secure the correctness of the IP message head.

The invention relates to an IP fragmentation message transmitting method, applying ICMP message on network equipment, making user end or network server end automatically regulate message size, thus avoiding message recombination in intermediate equipment. It solves the problems of high cost and implementing complexity in message recombination by hardware, and performance of message recombination by software. And it is simple to implement and does not influence transmission performance.

The present invention relates to a method for improving IP fragmentation and transmission of user payload between a User Equipment, UE (10), and a Peer Node, PN (14). The payload is transmitted through a transmission path enabled by at least a first (17, 18) and a second (17, 18) established tunnel, said tunnels connecting a first (11), (13) and a second (11, 13) node in a Packet Core Network, PCN. The method comprises the steps of: - The first node (11,13) fragments (19) at least one received payload packet (15) into fragments (16) on the basis of a minimum Maximum Transmission Unit, MTU, for an upper IP layer of the transmission path. The first node (11, 13) encapsulates (20) said fragments at the entry of the first tunnel (17, 18). What particularly characterizes the method is that it further comprises a step where the first node (11, 13) determines (21) the MTU for the upper IP layer of the transmission path on the basis of an MTU of a lower IP layer of the transmission path and on the basis of the size of at least one additional tunnel header for the encapsulated fragments (16).

In a network, packets are fragmented into head and non-head fragments. Non-head fragments are saved up front at an entry point, while a network switch forwards only the head fragment to Layer 4-Layer 7 (L4-L7) features for processing. The switch records changes that are performed on the head fragment's fields by the L4-L7 features while they process the head fragment. At an exit point, fields of the saved non-head fragments are overwritten with information that was recorded for the head fragment. This can include updating or modifying the source and destination parameters of the non-head fragments in an intelligent manner by reusing the results of the packet processing that was performed on the head fragment. This fragmentation handling technique avoids having to redundantly process the non-head fragments in the same manner as the head fragments.

The method comprises: IP sending end sends out IP fragmentation message; IP destination end receives the IP fragmentation message, and decides if the IP fragmentation message needs a direct response; if yes, the IP destination end immediately sends the response to said IP sending end; otherwise, said IP destination end recombines said IP fragmentation message. By making a response processing for the IP fragmentation message, the response time for IP fragmentation message is shortened; as the response to IP sending end is not made after recombination of IP fragmentation message at IP destination end, the combination expense of response time is reduced.

The invention discloses a method and a system for improving the existing IP recombination process, wherein the IP fragment messages belonging to different VPNs (Virtual Private Networks) are not influenced with each other during recombination by increasing the judgment of the VPNs belonged in the messages for the existing recombination module. The application of the invention can avoid the possibility that IP fragment messages of different VPNs are influenced with each other during recombination, thereby supplementing the description of RFC protocol about IP recombination process, improving the existing IP recombination process, being capable of improving the stability of network device, and improving the transmission quality of IP network. The invention is suitable for IPv4 recombinationand IPv6 recombination, and is independent of the implementation way of VPN.

The invention discloses a hidden information communication method based on an IP fragmentation camouflage technology. The method includes the following steps that (1) hidden information is encrypted; (2) a transmitting end sends a grouped data synchronizing request to a receiving end to indicate that the hidden information starts to be transmitted; (3) the transmitting end selects a bit stream to be sent at the time, modifies message information of K IP data packages to be transmitted, and sends the IP data packages to the receiving end according to a normal TCP / IP protocol; (4) after the bit stream to be sent is sent, the transmitting end judges whether the bit stream which is not transmitted exists, if the answer is yes, the bit stream which is not transmitted continues to be transmitted according to the step (3), otherwise, the transmitting end sends a grouping completion request to the receiving end, network connection is shut down, and hidden information transmission is finished. On the premise that invisibility similar to the prior art is guaranteed, the embedding rate is improved by means of the camouflage fragmentation principle and the combination action of multiple fields, and orderly rearrangement and loss detection of grouping at the receiving end are guaranteed.

The present invention discloses IP message recombination method. Said method includes A, channel selection module less than recombination limitation of length IP slicing retransmission recombination module of recombination equipment, directly transparent transmission retransmission greater than recombination limitation of length IP slicing, transmitting its offset to recombination module for recombination in transparent transmission retransmission just trans- recombination limitation of length IP slicing; B, recombination according to channel selection module retransmitted IP slicing and offset to make recombination, then used as new IP slicing to retransmit. The present invention overcomes current technologic shortage, simplifying IP slicing recombination implementation method, and reducing realizing cost.

The present invention provides an analysis and treatment method of a network data pipeline type, firstly, the message enters a network system through a physical network entrance, the operation of an IP banding recombination, a TCP message reordering, a service quality and a bandwidth management is executed; and then a detection from a first floor to a sixth floor is performed to the message, a detection content comprises a classification and treatment based on a state, a firewall treatment, an antivirus filtering, a counterespionage software detection, an intrusion detection / intrusion defense, a content filtering, an application level gateway and a VPN treatment; a detection result reflects a treatment decision to the message, a part of message is dropped, the other message enters a normal message output treatment; a further treatment is performed again, the operation of a route, a streaming ordering, a bandwidth management and a service quality is executed, subsequently, the message is sent out through a physical network gateway. The efficiency of the network data treatment is greatly improved, and the network delay and the network cost are obviously reduced.

Methods, computer readable programs and network processor systems appropriate for IP fragmentation and reassembly on network processors comprising a plurality of buffers and buffer control blocks, the buffer control blocks comprising a buffer usage field, the buffer usage field having a value set responsive to a quantity of frame data fragments, wherein the network processor system associates a buffer control block with each buffer and frees a first buffer after reading a frame data fragment responsive to the first buffer control block buffer usage field value indicating only one frame data fragment is present in the first buffer.