1. Field
This invention relates to Internet Protocol security (IPsec) protocol secure channels, and more specifically to preventing unnecessary packet retransmissions during IPsec security association establishment.
2. Background
IPsec is a standard-based network security protocol that is positioned at the network layer (OSI layer 3) of the Transmission Control Protocol/Internet Protocol (TCP/IP) stack. To protect a network flow, IPsec performs processing on outgoing and incoming packets using a security association. This security association describes the network packet flow information (IP addresses, protocol and ports) and the protection suite (algorithms, etc.) used to protect the network packet flow. Variations of IP addresses, protocols, and ports are used to define filters. When a host transmits a packet that matches filter information but is not currently being protected by an active security association, the Internet Key Exchange (IKE) protocol may be used to establish a security association with the communicating peer or network unit. Because of the time necessary for generating keys, network latencies, etc., the IKE negotiation may take some time. Until the security association is finally established, the IPsec packet classification driver has no choice but to discard packets that are to be protected by the security association under negotiation. This is because of the limited amount of non-paged memory in the operating system (OS) kernel.
For Transmission Control Protocol (TCP) communication, before any application data is sent, the TCP/IP stack sends a sync (SYN) packet. The SYN packet is used to begin the connection establishment procedure. Since TCP is a reliable protocol, when the network layer does not receive an acknowledgment from the communicating peer (because the driver never sent the packet, but instead discarded it), the network layer tries to retransmit the SYN packet. The timeout that TCP uses for retransmitting the packet starts out small. As more retransmissions are required, the timeout is increased.
FIG. 1 shows a diagram of an example system containing a client, a gateway, and a server. Client 10 accesses a gateway 14 using the Internet 12. The gateway 14 protects access to devices on an Intranet 16 including server 18. To send data packets from client 10 to server 18, the client must first send a SYN packet to establish a connection with server 18.
FIG. 2 shows a flow chart of the retransmission process. An application at a host makes a request for a communication to be established to transfer data across a network to another device “communicating peer” (e.g., server) S1. Before the data is sent, a SYN packet is sent to the communicating peer S2. The network layer at the host unit determines if an acknowledgment from the communicating peer has been received, acknowledging that the SYN packet has been received at the communicating peer S3. If an acknowledgment has been received at the host, a communication channel is established and the data is sent S4. However, if an acknowledgment from the communicating peer has not been received, the network layer waits a particular length X of time S5. The network layer then resends the SYN packet S6. Again it is determined if an acknowledgment has been received from the communicating peer S7, and if so, the data packets are sent S4. If an acknowledgment has not been received from the communicating peer, then the time X is increased S8. The network layer at the host then waits for an amount of time equal to X S9, and then resends the SYN packet again S10. It is then determined whether an acknowledgment was received S11, and if so, the data is sent S4. This process is repeated until a timeout occurs S12, or an acknowledgment is received. If a timeout has occurred, the connection attempt is ended S13.
For an application which uses User Datagram Protocol (UDP) and provides its own reliability, the application will retransmit packets while the driver is dropping the packets and waiting for a security association to be established. Once a security association is established, the TCP/IP stack or the UDP-based application will wait, on the average, half of the current timeout value before sending the packet. As noted previously, trying to address the retransmission problem at the packet classification driver has problems in that because of buffer limitations in the operating system kernel, it is too late to mitigate packet transmissions by the time a packet reaches the IPsec packet classification driver. Further, the classification driver would have store the whole packet, but due to the speed of most systems, this would cause the packet classification driver's memory to fill up quickly causing the host unit to possibly stop.
Therefore, a mechanism is needed that can prevent these unnecessary packet retransmissions.