Internet Protocol (IP) is an addressing protocol designed to facilitate the routing of traffic within a network or between networks. IP is used on many computer networks including the Internet, intranets and other networks. IP may also be used for voice calls transmitted over one or more of these networks. Since communications on these computer networks (especially voice calls) may involve personal and confidential information (e.g., credit cards numbers), it may be desirable to utilize security features, such as authentication and encryption, to protect any personal and confidential information. A whole suite of protocols for implementing such security, known as IP security (IPSEC), has been defined by the Internet Engineering Task Force (IETF). For more information on IPSEC, see IETF Requests For Comments (RFC) 2401–2412, all of which are specifically incorporated herein by reference.
In order to establish a secure communication with IPSEC, a security association (SA) may be negotiated and set up between two network devices. The SA typically involves/includes information such as key lifetime, encryption algorithm, authentication algorithm, etc. For more information on SAs, see RFC 2409, which is specifically incorporated herein by reference. In addition to establishing an SA, the two network devices may enable replay prevention to provide further security for their communication. Replay prevention is an IPSEC implementation that is typically used to prevent other network devices (e.g., “man in the middle”) from copying and “replaying” packets being sent between two network devices. For more information on replay prevention, see RFCs 2402 and 2406, which are specifically incorporated herein by reference. Replay prevention usually involves the use of a replay counter to generate and keep track of sequence numbers assigned to packets being sent back and forth between two network devices. Sequence numbers are updated with each new packet that is sent, an in large network systems, thousands of new packets are sent each second.
During a secure communication, there may come a time when one of the network devices wants or needs to turn over the secure communication to another network device. For example, one of the network devices may become inoperable or “crash” due to a hardware or software error. The failing network device may then wish to transfer its secure communication over to another network device, such as a back-up or redundant network device. In doing so, the SA between the original two network devices should be transparently transferred over to the new network device (e.g., the back-up or redundant network device) in order to obviate the need to break up the communication while a new SA is negotiated.
Switching an established SA between two network devices can be difficult, however, if replay prevention has been enabled for the secure communication. In such a case, sequence number information must be recorded separately by the back-up or redundant network device. Updating and maintaining the sequence number information for switching over the secure communication to the back-up or redundant network device is not scalable, especially since there may be thousands of packets being transmitted every second, and sequence numbers are updated per each new packet. Indeed, updating and maintaining the sequence number information on a per-packet basis results in valuable network resources, such as processing time and bandwidth, being wasted. In addition, if the back-up or redundant network device serves more than one network device, it may also be difficult for the back-up or redundant network device to maintain and update sequence number information for multiple network devices.
Accordingly, it is desirable to have a system and method for switching SAs between network devices that does not waste network resources, reduce performance of the system, or degrade the quality of the communication between the network devices, even when replay prevention is enabled. The present invention provides such a system and method for switching SAs.