A. Field of the Invention
Systems and methods consistent with the principles of the invention relate generally to methods and apparatuses for secure network communications.
B. Description of Related Art
Network computing applications involving groups of computers may send the same information to multiple computers in the group. There are three conventional ways to design a network application for group communication: unicast, broadcast, and multicast. As shown in FIG. 1, unicast systems allow the transmission of a copy of each data packet to one specific recipient. In order to transmit to multiple recipients, a separate connection is made with each recipient. Making multiple direct connections requires a large amount of bandwidth as the number of recipients increases and can result in delays since the same packet must be repeatedly copied and then transmitted to each recipient. Under a broadcast system, one copy of each packet may be sent to a broadcast address. As a result, the broadcast transmission may be sent to a large number of people when only a small number actually wish to receive the broadcast.
With a multicast system, a network application may send one copy of a packet(s) addressed to a group of recipients instead of just sending the packet(s) to one recipient, as in unicast systems. One or more networks may then forward the packet(s) to the recipients. Because of the dependence on the network to forward the packet(s), multicast applications may only work on networks that are multicast enabled. Generally, transmissions such as unicast, broadcast, or multicast are not secure because the destination address may be visible to anyone on the network, even if the data payload of the packet has been encrypted.
There are several conventional methods to transmit data packets through a network. Some of these conventional methods may provide secure transmissions, while others may not. One technique for secure transmission of data packets is the use of a unicast tunnel. As shown in FIG. 2, a source device 210 may transmit data to a tunnel gateway 220 for transmission across a unicast tunnel 230 in order to reach a destination device 270 through a tunnel endpoint 250. For secure transmissions, the packet may be conventionally encrypted using a unique key for the particular unicast tunnel 230 being used. The packet may be encapsulated in a unicast tunnel packet at tunnel gateway 220. Conventional tunnels may use an encapsulation protocol such as Internet Protocol Security's Encapsulating Security Payload (IPsec ESP). IPsec may provide a range of tunneling security features. IPsec, alone or with other protocols, such as Internet Key Exchange (IKE), may build unique sets of security associations for each tunnel including access controls, encryption keys, and authentication keys for a given tunnel. As a result, both the data and the final destination of the packet cannot be deciphered once the data enters the tunnel 230. Tunnel endpoint 250 may decrypt received packets based on the decryption key and perform authentication check for a given tunnel and may then forward the original packet toward the packet's final destination, i.e., destination device 270.