1. Field of the Invention
The present invention is related to the field of inter-computer networking and more particularly to a methodology and/or protocol that requires network header metadata, such as access control identifiers (ACIs), to be transitioned and operated upon among a plurality of separately defined computer network domains. The present invention is also related to the field of encrypted computer network communication and, more particularly, to a methodology for implementing functions that require unencrypted data in a secure computer network.
2. Description of the Related Art
A network typically requires the transmission of access control identifiers (ACIs) at various layers of a communication stack to enable successful completion of an end-to-end (E2E) transmission. Across that E2E path, however, are various service facilities that utilize the ACIs, whether in the header or embedded in the payload, for functions such as routing, inspection, user or location identification, forwarding, etc. When such a service facility, e.g., a proxy server, post office or other application-based traversal mechanism, is utilized, the ACIs are lost and are no longer available to a session protocol. This loss of ACIs, for example in IP identifiers, occurs due to the layer mechanisms inherent in the protocol stack. Specifically, the processing elements operating at a particular layer can operate only on ACIs available to that particular layer and not at layers above or below. As a result, the intervening service facility causes services such as access control capability to be lost and/or terminated, leaving only routing data available for reuse.
Various prior art methods have been proposed which teach that a singular self-contained service can be used to inspect the payload and compare it against a store of known rules prior to forwarding. Service facilities disclosed for such methods can operate on predefined network topologies and are used within these topologies to provide some service, e.g. forwarding or inspection. These prior art approaches provide no inheritance of the ACIs across services within the communications path and are limited to cascading services performed within a single network domain.
In sum, existing service facilities within networks are uni-directional, self-contained and/or require known network-specific topologies. Services based on the existing art have limited session facilities on the network, requiring service functions to be embedded within the application itself or within a series of applications as part of the application codes/functions. Session persistence is only maintained by the application and is otherwise terminated when the session-layer ACIs are lost between applications or service facilities. The existing art does not provide service mechanisms that allow bi-directional movement of the ACIs as is required in a session-based service.
Additionally, a secure computer network requires the transmission of encrypted data with associated ACIs from a data source to a specified data destination. However, many computer network functions such as intrusion detection, load balancing, TCP/IP acceleration, etc. need to operate on cleartext or unencrypted data and will not perform properly when processing encrypted data. Thus, functions requiring cleartext, when embedded within a conventional secure network, do not perform properly.
A mechanism for providing access control on network communications used by the Department of Defense is to place identifiers on Internet Protocol (IP) data streams. These identifiers can be checked at the source and destination host machines to determine if the sender can send that type of information and whether the receiver can receive that type of information. In a standard client server environment, where all systems between the two host systems operate only on the IP layer, this access control mechanism has been shown to work well and has many government approvals for its operation.
However, when a proxy, service facility or other application-based traversal mechanism is utilized, IP identifiers that are placed on the individual packets are lost and thus network-level access control mechanisms cannot be utilized. This loss is consistent with the operation of the standard TCP/IP and IPsec protocol stacks which operate in a layered fashion where processing elements operating at a particular layer can see all data at that level and above, but none below. Since the proxy/application is at the application layer, it cannot generally see information at the IP layer.
Therefore, a need exists for a system and method by which header data at different layers of the communications protocol stack is maintained throughout a network session that traverses multiple networks and domains.