| 发明名称 |
EFFICIENT FORWARDING OF ENCRYPTED TCP RETRANSMISSIONS |
| 摘要 |
A network device receives TCP segments of a flow via a first SSL session and transmits TCP segments via a second SSL session. Once a TCP segment has been transmitted, the TCP payload need no longer be stored on the network device. Substantial memory resources are conserved, because the device may have to handle many retransmit TCP segments at a given time. If the device receives a retransmit segment, then the device regenerates the retransmit segment to be transmitted. A data structure of entries is stored, with each entry including a decrypt state and an encrypt state for an associated SSL byte position. The device uses the decrypt state to initialize a decrypt engine, decrypts an SSL payload of the retransmit TCP segment received, uses the encrypt state to initialize an encrypt engine, re-encrypts the SSL payload, and then incorporates the re-encrypted SSL payload into the regenerated retransmit TCP segment. |
| 申请公布号 |
US2014195797(A1) |
申请公布日期 |
2014.07.10 |
| 申请号 |
US201313737907 |
申请日期 |
2013.01.09 |
| 申请人 |
du Toit Roelof Nico |
发明人 |
du Toit Roelof Nico |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method comprising:
(a) receiving onto a network appliance a first retransmit TCP (Transmission Control Protocol) segment, wherein the first retransmit TCP segment has: 1) a TCP sequence number in a TCP header of the first retransmit TCP segment, and 2) a first encrypted SSL (Secure Sockets Layer) payload; (b) determining from the TCP sequence number in the TCP header a second TCP sequence number, wherein the second TCP sequence number corresponds to a start of the first encrypted SSL payload; (c) determining from the second TCP sequence number a first start byte position in SSL sequence space, wherein the first start byte position in SSL sequence space corresponds to the start of the first encrypted SSL payload; (d) using the first start byte position to determine: 1) a second start byte position in SSL sequence space, and 2) a decrypt engine state associated with the second start byte position; (e) putting a decrypt engine into the decrypt engine state determined in (d); (f) incrementing the state of the decrypt engine an amount, wherein the amount is a function of the first start byte position and the second start byte position; (g) using the decrypt engine to decrypt the first encrypted SSL payload thereby generating a decrypted SSL payload; (h) encrypting the decrypted SSL payload thereby generating a second encrypted SSL payload; and (i) transmitting from the network appliance a second retransmit TCP segment, wherein the second retransmit TCP segment includes the second encrypted SSL payload that was generated in (h), and wherein the first and second retransmit TCP segments are both communicated across the same flow of the same TCP connection. |
| 地址 |
Portersville PA US |
