Traditional networks secure communications between two devices by employing well known host-to-host security measures. Typically public keys are exchanged between devices and then the data exchanged between the devices is encrypted through private or secret keys. Well known security protocols and algorithms for securing a communication include HTTPS, SSL, SSH, RAIDUS, Kerberos, OpenID, AES, DES, 3DES, or PKI among many others.
Although much effort has been placed to secure data with respect to Confidentially, Integrity, and Authentication (CIA), data can still fall victim to attack. Typical attacks can include a man-in-the-middle attack where an entity, hostile or otherwise, eavesdrops on all communications on a link between the two devices. The attacker can record the data exchanged and, given enough computing resources, eventually crack the security measures to reveal secured data.
Other issues also exist with traditional security measures. Ciphers typically employed in encryption conduct data transformations in a serial fashion and place an undue computational burden on the devices. The result is that the maximum achievable throughput for a secured communication severely lags behind the throughput supported by current communication infrastructure technology. For example, current networks can employ 10 Gbps data channels. However, a conventional device connected to a network would find it difficult to transmit encrypted communications at data rates remotely close to 10 Gbps while still retaining sufficient CPU bandwidth for other applications.
Offloading encryption responsibilities to support modules or adapters offers a poor solution due to the cost of adapters.
U.S. Pat. No. 4,802,220 to Marker provides for a multi-channel communication security system where information in a message is split among a number of channels of an ISDN line. Such an approach is likely useful for ISDN; however, Marker fails to fully alleviate the overhead of establishing and maintaining secure communications. Rather, Marker requires installation of costly communication adapters within user stations.
U.S. Pat. No. 6,771,597 to Makansi et al. discusses methods of transmitting a message as packets over a network using different techniques, including transmitting the packets through different routes in a network. Unfortunately, Makansi also lacks support for offloading security overhead from the communicating devices.
U.S. Pat. No. 7,010,590 to Munshi provides for secure transactions over a insecure packet-switched network by encrypting packets and transmitting the packets via pseudo-random communication paths. Although Munshi makes further progress toward secure communications, Munshi fails to offer a way to maintain fine grained control of secure communications among devices.
U.S. Pat. No. 7,233,590 to Beshai describes sending a stream of data from a source node to a core node of a network by distributing the data streams through multiple time slots across several channels. The Beshai approach provides for routing support, but lacks sufficient support for having the network provide protection for a communication between two devices.
U.S. patent publication 2004/0083361 to Noble et al. describes, among other things, transmitting data in a secure fashion by transforming the data and spreading the transformed data piecewise across a plurality of transmission channels. Noble also fails to fully address the need for offloaded security.
U.S. patent publication 2008/0101367 to Weinman makes a bit further progress for providing security by transmitting packets along different routes based on a security policy where a route can be selected from a set of pre-provisioned routes. However, Weinman fails to adequately secure the actual communication between devices.
These and all other extrinsic materials discussed herein are incorporated by reference in their entirety. Where a definition or use of a term in an incorporated reference is inconsistent or contrary to the definition of that term provided herein, the definition of that term provided herein applies and the definition of that term in the reference does not apply.
It has yet to be appreciated that a network can take responsibility for securing communication between devices by establishing a port-to-port session where the session can be used to maintain a fine grained control over the secure communication. For example, a network could partition a communication into data chunks where each chunk is sent along different paths from an ingress port to an egress port within a secure session. Such an approach offers several advantages. First, the communication is distributed across multiple paths, channels, or links, rendering a man-in-the-middle attack impractical. Second, each chunk can be encrypted separately, effectively offering a parallel encryption process. Each path, channel, or link in the network could be secured individually to secure a communication. Such benefits can be realized by establishing a secured communication session between two ports of the network fabric rather than requiring devices, or applications running on the devices, to establish a secure connection.
Thus, there is still a need for providing secure communications across a network fabric.