Securely managing network element state information in transport-layer associations
US7630364B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Oct 24, 2005 |
| Grant date | Dec 8, 2009 |
| Priority date | — |
| Expiry date | Dec 20, 2027 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/0263
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
Rules in NAT and firewall devices are updated only when a packet flow is verified as genuine through transport-layer message acknowledgment sequences. When a device receives a packet indicating initiation of a new association, the device stores an internal source tag, an internal destination tag, an external source tag, and an external destination tag. Only after receiving a completion acknowledgment message from the destination node, the device sets the internal source tag equal to the external source tag, and sets the internal destination tag equal to the external destination tag. The rules are then updated based on the internal tags. As a result, the approach thwarts denial of service (DOS) attacks that seek to modify rules of NAT and firewall devices to permit harmful traffic.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.