1. Field of the Invention
The present invention relates to transmission of packet data over a network. In particular the present invention relates to transmission of packet data over a network with a security protocol.
2. Description of the Related Art
Data transmission over packet data networks, in particularly over Internet Protocol (IP) based networks, is very common nowadays. There are, however, risks in using the Internet or other public data networks for communications. IP-based networks face threats such as viruses, malicious crackers and eavesdroppers.
Virus-scanning software and firewalls are widely used to prevent unauthorized access to internal networks from public networks. When confidential data is transmitted over a public packet data network, the data should be encrypted and the sender and receiver of the data should be authenticated. The security concerns relating to data transmission over public networks can be addressed in a variety of ways. One example is the use of the Internet Security protocol (IPSec) on the IP level. Another example is the use of a security protocol above the IP level.
The Secure Shell protocol is a security protocol that is typically used over the Transfer Control Protocol (TCP) and the Internet Protocol. In principle, the Secure Shell can be used above any protocol providing reliable data streams. A protocol proving reliable data streams refers here to a protocol ensuring that in normal situations a receiver receives data packets in the sending order and all sent data packets are received. The Secure Shell protocol provides encryption and integrity of data and authentication of the sender and receiver of data.
The Secure Shell protocol is in the following used as an example of a security protocol. The Secure Shell is being standardized in the SecSh Working Group of the Internet Engineering Task Force. The Secure Shell protocol is a packet protocol, and the protocol packets contain information about the length of the protocol packet and about padding length. The Secure Shell protocol packet then contains the actual payload and the padding data.
A Secure Shell protocol session between two endpoints is typically established in the following manner. First, a TCP connection is established between the endpoints for an initial key exchange. Thereafter the endpoints authenticate each other and agree on various security parameters by transmitting protocol messages over the TCP connection. After a successful authentication and security parameter negotiation, the negotiated security parameters define encryption and data integrity algorithms that are used for Secure Shell protocol packets transmitted over the TCP connection. Some further transmission parameters, for example data compression algorithms, may be defined for the data to be transmitted over the TCP connection.
There may be a plurality of channels within a single Secure Shell session. These channels share the authentication and negotiated security parameters, and data relating to all channels is transmitted over the TCP connection established for the Secure Shell session. New channels may be opened and existing channels may be closed during a Secure Shell session.
When the TCP connection carrying the Secure Shell protocol packets is slow or the TCP connection goes via overloaded networks, the throughput of the Secure Shell protocol is quite low. For some reason, the throughput is lower than what could be expected simply based on the throughput of the underlying TCP connection. Furthermore, if some TOP packets carrying Secure Shell protocol packets are lost and need to be retransmitted, it takes a while before the Secure Shell protocol recovers. This is at least partly due to the fact that the flow control of the Secure Shell is disturbed and the data buffers of the Secure Shell session may be filled. A further problem is that in an overloaded network, a TCP connection used by the Secure Shell protocol may be slower than TCP connection on the average.
Furthermore, data that is transmitted between the endpoints of a Secure Shell session may contains packet data relating to various applications, which have different security requirements. For example, packet data for a video player could suffice with a light encryption, whereas text files to be transmitted should be secured with a stronger encryption. It may be quite difficult to find encryption parameters to provide a suitable compromise. One option to overcome this problem is to open a plurality of Secure Shell protocol connections between the endpoints and to select the security parameters for the separate Secure Shell protocol connections to meet the requirements of the different applications, but this requires further memory and other resources in the endpoints.
There are thus various problems relating to providing a Secure Shell session over a TCP connection or other reliable packet data protocol connection. It is appreciated that although above reference is made mainly to the Secure Shell protocol, the problems may be relevant also for other security protocols.
Embodiments of the present invention aim to provide method for transmitting data over a network with a security protocol in a flexible manner.