47 results about "Security Parameter Index" patented technology

Method and apparatus for Internet Protocol Security (IPSec) and Network Address Translation (NAT) integration is described. A client obtains a public address from a gateway for IPSec communication. A mapping table is used to form associations between a local address for the client and a destination address for a peer, an Internet Security Association and Key Management Protocol (ISAKMP) Initiator Cookie and a Security Parameters Index associated with communication between the client and the peer. Incoming and outgoing routing may be done at the gateway using the mapping table.

For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for distributing data messages among processors of a destination computer that receives encrypted data messages from a source computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. The encrypted data messages are received at multiple interfaces of the destination computer and in some embodiments, include an identifier for a set of encryption parameters (e.g., a security parameter index). The encryption-parameter-set identifier is used to distribute encrypted data messages among processors of the destination computer.

Processes are disclosed in which an index value is generated for locating a security association in a security association database, such as an inbound SAD associated with the IPsec set of protocols. The index value is specified for insertion into a Security Parameter Index (SPI) field of a packet header, such as an IPsec header. For packets that are to be secured according to the policies and protocols identified in the header and the security association and that are transmitted to a particular network device or host, the index value is inserted into the SPI field of the packets by a packet sender. The packet is then parsed by a packet receiver, the index value determined from the SPI and used to identify the security association in the SAD, based solely on the index value determined from the SPI. Hence, a simple and efficient mechanism is provided for fast inbound security association lookups.

Method and apparatus for enhanced security for communication over a network, and more particularly to control of security protocol negotiation to enable multiple clients to establish a virtual private network connection with a same remote address, is described. A mapping table accessible by a gateway computer is used to form associations between a local address for the client and a destination address for a peer and a Security Parameters Index associated with IPSec-protected traffic from the peer. When a packet is received at the gateway from a client it is checked to determine if it is an Internet Key Exchange (IKE) packet, whether an IKE session has already been recorded from this client in the mapping table for the destination address in the IKE packet, whether a Security Parameters Index has been observed in the clear from a remote computer associated with the destination address.

A method and apparatus for facilitating Internet Security Protocol (IPsec) communications through devices that employ address translation in a telecommunications network is disclosed. A device that employs address translation, such as a router using Network Address Translation (NAT), receives IPsec based messages from originator nodes in a network and generates a result value for each message based on an initial identifier for each message. The messages are sent to a responder node that generates a response message to each originator node with a subsequent identifier that is based on the corresponding initial identifier. The device matches each response messages to the appropriate originator node within the network based on the result values and the subsequent identifiers. For example, the initial identifiers may be originator Security Parameter Indexes (SPI), and the subsequent identifiers may be responder SPI's that are each based on a hash value of the corresponding originator SPI.

A method is provided for managing mobility of an Access Terminal (AT) in a mobile communication system using a Mobile Internet Protocol (MIP). The method includes generating, by an AT that has entered a new network, a Security Parameter Index (SPI) and a security key for mutual authentication with a Home Agent (HA) of the new network, sending, by the AT, a registration request message including authentication information including the SPI, the authentication information being generated using the security key, upon receipt of the registration request message, searching, by the HA, a database for the SPI included in the authentication information, verifying the authentication information according to the search result, upon successful verification of the authentication information, generating, by the HA, mobility binding information of the AT, and sending, by the HA, a registration response message including the HA's IP address.

The invention provides a method for achieving message-crossing network address translation device. The method comprises (S1) enabling an intranet to send a message to the network address translation device, and enabling the message to carry an intranet internet protocol (IP) address, an intranet safety parameter index and an extranet safety parameter index; (S2) enabling the network address translation device to receive the message, and building a mapping table according to the intranet IP address, the intranet safety parameter index and the extranet safety parameter index which the message carries and a public network IP address; and (S3) enabling the intranet IP address of the message to be converted into the public network IP address according to the mapping table, and sending the message to an extranet device through the public network IP address; and enabling the extranet safety parameter index to be the safety parameter index of the extranet device. By building a network address translation (NAT) device address mapping, when the message in an internet protocol security (IPSec) tunnel undergoes NAT crossing, port address conversion can be performed without adding a user datagram protocol (UDP).

The invention provides a method and a device of obtaining IPSec SA (Internet Protocol Security Association). The method comprises the following steps that: a VAM (Virtual Private Network Address Management) client registers with a VAM server; the VAM server issues the corresponding IPSec SA to the VAM client according to the registration information of the VAM client; the VAM client transmits a keepalive message to the VAM server; the keepalive message comprises an SPI (Security Parameter Index) of the local newest IPSec SA of the VAM client; the VAM server judges whether the SPI of the newest IPSec SA of the VAM client is equal to the SPI of the local newest IPSec SA; if the SPI of the newest IPSec SA of the VAM client is not equal to the SPI of the local newest IPSec SA, the local newest IPSec SA is issued to the VAM client. Through the method and the device, the centralized management and issuing of the IPSec SA in an ADVPN (Auto Discovery Virtual Private Network) network can be implemented, and meanwhile, the keepalive message is initiated by the VAM client, so that when the local IPSec SA of the VAM client is updated by the VAM server, the newest IPSec SA, which is issued by the VAM server, can normally pass through an NAT (Network Address Translator).

The invention discloses a load sharing method and system for an IPSEC (Internet Protocol Security) data message, belonging to the technical field of network communication. The load sharing method comprises the following steps of: S1, receiving a current IPSEC data message sent by an intranet to an extranet; S2, searching a route list to obtain an exit corresponding to the current IPSEC data message, and judging whether the outlet has a load sharing function or not; and if the outlet has the load sharing function, executing step S3; and S3, classifying the IPSEC data message with same IP (Internet Protocol) five-element group and safe parameter index as a same data stream, and sending the message of the same data stream through the same extranet entrance, so as to share a load. According to the load sharing method and system provided by the invention, the IPSEC data message is branched by using the IP five-element group and the safe parameter index, and data are sent according to a branching result, so that the precision of branching the IPSEC data message and the properties of the entire machine can be improved.

A process for managing encrypted group communication according to a single security association (SA) for network traffic from a sender includes receiving a request for an encrypted communication among a plurality of network devices. A common decryption key and a common security parameters index (SPI) are provided to each of the network devices participating in the communication. The common security parameters index facilitates locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association. Information is encrypted based on the common security association, and unicasted to each of the network devices. In an embodiment, the common security parameters index provided to each network device is established by the sender. For example, the SPI is established by a conference server and sent to each device participating in a voice conference.

A method of providing access of a mobile terminal to an IP network includes establishing a security association between the mobile terminal and a first security gateway of a first router in said plurality of routers. The mobile terminal is provided access to the IP network via the first router, and the data exchanged between the mobile terminal and the first router is encapsulated by using the security association. The security association is made available to at least one second router having a second security gateway. The mobile terminal is provided access to the IP network via said the second router, and data exchanged between the mobile terminal and the second router is encapsulated by using the same security association. Establishing the security association includes assigning a Security Parameter Index that identifies univocally the first security gateway and the security association. Making the security association available to the second router includes making available to the second router the Security Parameter Index. The second router may thus have access to the security association either by requesting it from the first router or by identifying it in a set of security associations sent from the first router to a set of routers candidate to become the second router as result of the mobility of the mobile terminal.

A first computer sends a list of possible security associations to a second computer in a message according to a protocol of an application layer, a security parameter index being contained in the message for each security association. The second computer selects a security association and transmits it or an indication of the security association selected by it to the first computer.

The invention provides a security parameter index management method and apparatus, which is applied to a communication device. The apparatus is characterized in that the communication device comprisesan index array; and the index array comprises idle array elements not used for generating security parameter indexes. The method comprises the steps of selecting an idle array element as a first target array element; and based on an array subscript of the first target array element, generating the security parameter index to be allocated to security association, and assigning an address pointer pointing to the security association to the first target array element. The security parameter indexes are allocated in an array form, and the security parameter indexes are generated based on the array subscripts of the idle array elements, so that the generated security parameter indexes are ensured not to be used certainly and the problem of security parameter index allocation conflict is avoided. The security parameter indexes are organized by adopting the array; and compared with a mode using a HASH table in the prior art, fewer memories are occupied and the search efficiency is higher.

The invention discloses a data transmission method and device, related equipment and a storage medium. The method comprises: by utilizing a flow identifier of the data flow a virtual SPI identifier and a security parameter index identifier (SPI) of an internet protocol security (IPSec) tunnel for transmitting the data flow, determining a virtual SPI identifier; for each encrypted message in the data stream, carrying a virtual SPI identifier in the corresponding message; and transmitting the data stream to a receiving end through the IPSec tunnel, wherein the virtual SPI identifier is used forthe receiving end to send each message of the data stream to the same decryption unit for decryption processing.

The present invention utilizes the AAA infrastructure to dynamically allocate the various parameters needed to establish the security association between the Foreign Agent and the Home Agent. The present invention uses the AAA server as a central entity to dynamically generate and distribute the chosen security association parameters needed to support the Foreign Agent and Home Agent security association based on a request from the Foreign Agent. The AAA server can also dynamically assigns a unique SPI value to the Foreign Agent and Home Agent pairs. The various parameters that can be allocated in the present invention include a FA-HA shared secret key or a public/private key pair, an authentication algorithm and mode, a FA-HA secret key lifetime, and security parameter index or security index values. The present invention also can assist in making sure that the Foreign Agent and the Home Agent stay synchronized with respect to their security association.

A method reduces signaling overhead of a mobile node that maintains at least one active Next Steps in Signaling session. The mobile node has a MOBIKE connection to a virtual private network gateway, and changes its link to the Internet. At least the IP address of the VPN gateway and/or an address space corresponding to the subnetwork of the VPN gateway is/are inserted into the message routing information object contained in the NSIS message. A value is defined for a security parameter index. The SPI value is inserted into the MRI object. The S flag is set in the MRI object. An address space that refers to the IP address of the mobile node is inserted into the MRI object.

The invention relates to a key negotiation method and device, computer equipment and a storage medium. The method comprises the following steps: carrying out session with opposite-end equipment; pre-negotiating with the opposite-end equipment before the end of the session lifetime to obtain a session key and a security parameter index of the opposite-end equipment; and recording a corresponding relation between the security parameter index and the session key, so as to find the corresponding session key according to the security parameter index of the opposite end equipment when the session with the opposite end equipment is carried out after the session lifetime is finished. By adopting the method, the problem of communication data loss caused by asynchronous session key switching can beavoided, and the communication stability is improved.

A process method, apparatus and system for controlling data stream are provided. The method includes: a Broadband Network Gateway (BNG) receives relationship between stream information and an Internet protocol security security parameter index (IPSec SPI); the BNG receives relationship between the stream information and fixed network control information; the BNG receives data stream; and the BNG acquires the fixed network control information corresponding to the data stream according to the IPSec SPI of the data stream, the relationship between the stream information and the IPSec SPI and the relationship between the stream information and the fixed network control information, and controls the data stream according to the acquired fixed network control information. After receiving the data stream subsequently, the BNG acquires the fixed network control information corresponding to the data stream according to the stream information of the data stream and the aforementioned relationships, and controls the data stream according to the acquired fixed network control information, thereby enabling the BNG to control the data stream and implementing the process for controlling stream on data stream of multiple services of an identical User Equipment (UE).

The invention discloses a quantum encryption communication method and device and a computer readable storage medium. The method comprises the following steps of: obtaining a sample; sending the key acquisition message carrying the key reading identifier to a first quantum key server QKS in a quantum key distribution network QKDN, sending the key reading identifier and a key corresponding to the key reading identifier to a second QCCD in the CCN by the first QKS through a second QKS in the QKDN; receiving a secret key fed back by the first QKS, and sending the secret key reading identifier andthe communication session message encrypted by using the secret key to a second QCCD, so that the second QCCD searches the secret key corresponding to the secret key reading identifier, and decrypts the encrypted communication session message by using the searched secret key; Wherein the key reading identifier comprises a security parameter index SPI bit and an SPI round digit. The quantum encryption communication method and device solve the problem that in the existing quantum encryption communication process, an old session is frequently terminated, and a new session is generated.