1. Technical Field
The present invention relates generally to computer systems and in particular to network communication components of computer systems. Still more particularly, the present invention relates to a method and system for verifying correct operation of a network adapter within a computer system.
2. Description of the Related Art
One recent development in Internet Protocol (IP) communication technology is IP Security protocol (IPSec). IPSec is a security addition to the IP protocol that enables security and privacy to TCP/IP communication. IPSec is a suite of protocols that seamlessly integrates security features, such as authentication, integrity, and confidentiality into IP. Using the IPSec protocols, an encrypted or authenticated path can be created between two peers (or Policy Enforcement Points) utilizing Internet Key Exchange (IKE). Each peer is a device, such as a client, router, or firewall, that serves as an endpoint for the tunnel.
IPSec is typically used in a gateway-to-gateway configuration (although a client-to-gateway configuration may also be utilized). Accordingly, all traffic between gateways rides in a virtual “tunnel,” which both verifies the authenticity of the sender and the receiver and encrypts all data traffic (e.g., packets). IPSec typically encodes identification (ID) information (e.g., local and remote IDs-IP addresses, tunnel endpoints, etc.) in the IPSec packet during the IKE negotiation and data transfer.
Implementation of IPSec in a gateway/terminal requires an IPSec adapter and corresponding software-based device driver. Typically, the gateway/terminal is a computer system with a processor and memory, and the device driver is stored within memory and executed by the processor (in concert with the OS) to control the hardware configured IPSec adapter. The IPSec adapter (or adapter card) has a direct (or indirect) connection to the external network on which the destination gateway/terminal is located.
IPSec chip sets are now available and are provided as a component part of most network adapters. Although the IPSec operations are performed on the network adapter in a “bump-in-the-stack” mode, the adapter must still be dynamically configured. The IPSec adapter must be told by its corresponding device driver how to handle particular Security Associations (SA).
For example, referring briefly to FIG. 6, hostC has a Security Association (SA) with two remote hosts, hostA and hostB, to which hostC connects via wide area network 609, such as the Internet. The IPSec adapter of hostC is told by the device driver to encrypt data that has hostA as its destination with Data Encryption Standard (DES) and secret key “qwerty”. The IPSec adapter is also told by the device driver to encrypt data that has hostB as its destination with triple-DES and secret key “bluesky”.
IPSec adapters typically operate according to the control information received from the device driver. Occasionally, however, the network adapter and the device driver become out-of-sync and the network adapter fails to encrypt or correctly encrypt data being transmitted. Unfortunately, with IPSec chips placed on the network card, occurrence of such errors are silent and SA information is dropped without hostC being made aware that it is transmitting un-encrypted data (typically clear text). Of course, this may lead to a variety of other problems.
A particular IPSec card may hold/support up to 16 SAs. If the device driver and the adapter become out of sync, the device driver may send an outbound IP packet to the adapter thinking the adapter will match this packet to one of the 16 SA and perform the IPSec encryption. If the adapter does not match this outbound packet, the adapter will send the packet out on the network in clear text. The adapter does not report this as an error, since a large amount of network traffic is sent and received in clear text.
The difficulty in addressing this problem is primarily due to the fact that once the outbound packet is sent to the adapter, the device driver must trust that the card is configured correctly and will do the necessary encryption. With the current design model, an IPSec layer (kernext) examines the outbound packet and, if kernext feels that the correct SA is in place on the IPSec network adapter, kernext sends the packet to the device driver in clear text expecting the adapter should recognize the packet and perform the IPSec encryption on the packet before sending it out. However, kernext has no way of knowing whether the adapter's encryption of the packet undertaken completed successfully.
A user/administrator may attempt to verify that the packets are being encrypted by tapping into the network stream and physically observing the packets being transmitted within a SA. The user may then have to physically stop the transmission and restart the process. Currently, there is no efficient way to verify that the adapter is performing the desired encryption. There is also no way to dynamically restart a transmission process once a determination is made to terminate a transmission due to the above described errors.
The present invention therefore realizes that it would be desirable to provide a method and IPSec hardware component that dynamically verifies that packets being transmitted by the network adapter are correctly encrypted prior to transmission on the network. A method and computer program product that enables an IPSec hardware component to track packets to be encrypted by the IPSec adapter to ensure that such encryption is occurring would be a welcomed improvement. These and other benefits are provided by the invention described herein.