This invention is directed to the field of computer networks. It is more particularly directed to network devices that transform packets traveling in an IP network in various manners.
The Internet Protocol (herein referred to as IP) is a preferred communication mechanism used in the Internet and many enterprise networks. The original IP communication was designed so that the network would deliver the IP packets created by a source machine to a destination machine without any significant modifications to the contents of the IP packet. Some minor modifications were made to the contents of the header of an IP Packets during the course of normal processing, but most of the fields of the IP header and the payload were left unmodified.
In order to meet the varying security and scalability needs that arise within the Internet and enterprise IP intranets, it has become common practice to perform different types of transformations on an IP packet. Example of such transformations include the encryption of IP packets, compressing IP payload, encapsulating an IP packet within another IP packet, translating the source/destination address to some other value within the network, etc. Such transformations are most often performed in a transparent fashion, such that an application that is sending the IP packets in the network is often not aware of the fact that such transformations are being done within the network. A transformation may be done by the kernel of an originating machine, or by an intermediary router or firewall in the network. Such transparent transformations are hidden from the receiving application by a reverse transformation which is performed in the kernel of the receiving machine or at another intermediary device close to the receiving machine. These transformations establish logical communication tunnels within an IP network between the devices that perform the transformation and the devices that perform the reverse transformation. The IP communication tunnel could be established on the entire path of an IP packet, when the transformation is done at the source machine and the reverse transformation at the destination machine. An IP communication tunnel could also apply only to part of a route between a pair of communicating machines, with a network device doing the transformation at a point in the path of the packet, and another network device performing the reverse transformation in the path of the packet.
An example of a transformation process, is the IP-security protocol using the Encrypted Secure Payload mechanism in a tunnel mode. It enables a router (or source machine) to encrypt an IP packet and put it within a new IP packet header on the source side. This transformation is reversed close to the destination machine by a router and the original IP packet is regenerated. The reverse transformation can also be done by the destination machine kernel itself. Other types of transformations include IP security protocol using the Encrypted Secure Payload in a transport mode, IP security protocol using the Authentication header in a transport mode, IP security protocol using the Authentication Header in a tunnel mode, Generic Routing Encapsulation, Network Address translation etc. These transformations are described in various Internet Request For Comments (RFCs), namely RFC 2401, RFC 2406, RFC 2402, RFC 1701, RFC 1702, RFC 1631, RFC 2766 etc., These transformations are known to those skilled in the art.
These Internet Network Working Group submissions are herein incorporated by reference in entirety.
One of the key aspects of these transformations is that they are to be applied transparently to IP packets such that the originating applications are not aware of the existence of the transformation process. The transformation process is usually put into place by configuration and administration of the network devices (servers, firewalls or routers) that perform the transformation. However, in many cases, one needs to validate that the transformation has actually been accomplished, and that the communicating applications are communicating with each other using the transformation.
A usual mechanism to ensure that things are set up properly for two machines to communicate on an IP network is to use a program like ping. It sends an IP packet defined according to the Internet ICMP standards from one machine to another, and the latter provides a response to the original ICMP packet. Upon receiving the ICMP packet, the original machine is assured that communication is possible between the two machines. However, when transformation are in place, it is advantageous to have a way to ensure not only that the communication is possible, but that the communication is happening with the right transformations taking place. Communication may be taking place without any transformations, or may be happening with incorrect transformations. In most environments, the transformation should be occurring correctly. It is unacceptable that packets be sent in the clear when they require an IP-sec encryption transformation. Existing schemes for ensuring that there is connectivity between machines can not be used for the purpose of validating communication when transformations are taking place.
It would also be advantageous that the validation of the communication be able to be accomplished by an individual operating from one node, or by a management console which is responsible for managing the configuration of multiple machines in an IP network.
It is therefore an aspect of the present invention to provide methods and apparatus by which a network user or administrator at a central console can validate that transformations required for communication to another machine have been set up properly.
In another aspect of the invention, a network user or administrator uses a method disclosed herein to validate that IP-sec tunnels performing Encrypted Secure Payload transformations in tunnel or transport mode have been established properly between communicating firewalls, routers and/or hosts.
In still another aspect of the invention, a network user or administrator uses a method disclosed herein to validate that IP-sec tunnels performing Authentication Header transformations in tunnel or transport mode have been established properly between communicating firewalls, routers and/or hosts.
In an alternative embodiment, a network user or administrator uses a method disclosed herein to validate that Generic Routing Encapsulation performing IP in IP encapsulation have been established properly between communicating firewalls, routers and/or hosts.
In a further aspect of the invention, a network user or administrator uses a method disclosed herein to validate that network address translation has been established properly between communicating network devices.
Other objects and a better understanding of the invention may be realized by referring to the detailed description.