In one conventional arrangement, a first network node is coupled to a second network node, and the second network node is coupled to a third network node. An application layer data buffer is encrypted, in accordance with a security protocol, in the first network node and the resultant encrypted data buffer is fragmented or segmented, in accordance with a transport layer protocol, for transport in a plurality of frames to the third network node via the second network node. The third network node re-assembles, in accordance with the transport layer protocol, the fragments of encrypted data from the plurality of frames to produce the encrypted data buffer. The third network node then decrypts, in accordance with the security protocol, the re-assembled data buffer to reproduce the application layer data buffer.
In this conventional network arrangement, it is difficult for the second network node to perform meaningful inspection of and/or other analysis upon the encrypted data fragments traversing the second network node from the first network node to the third network node. This arises from a number of factors. For example, in this conventional arrangement, the fragments, as initially received by the second network node, are encrypted, and decryption is a pre-requisite to performing such meaningful inspection and/or other analysis. However, in this conventional arrangement, re-assembly of the encrypted fragments into the entire encrypted data buffer is a pre-requisite to such decryption, since this conventional arrangement is incapable of separately decrypting the individual encrypted fragments (e.g., apart from the re-assembled entire encrypted data buffer). Such re-assembly involves substantial use of a transport layer state and cryptographic information and buffering. Additionally, given the extensive deployment of existing standards-based transport and security protocols, modification of such existing protocols to ameliorate these problems would be difficult.
Furthermore, a relatively large number of connections may traverse the second network node. In this conventional arrangement, in order to perform such meaningful inspection and/or other analysis, the second network node associates each of these connections with its respective transport layer and cryptographic key, state, and/or other information, as well as, synchronizing, updating, maintaining, accessing, and utilizing the respective information for each of these connections. This may pose a significant connection scalability issue in this conventional arrangement that may significantly reduce both the number of connections that may be processed and the speed with which such processing may be carried out in this conventional arrangement. This problem may be further exacerbated if routing changes occur to active connections traversing the second network node.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art. Accordingly, it is intended that the claimed subject matter be viewed broadly.