Title of Invention	A METHOD FOR DISTRIBUTING DATA PACKETS ADDRESSED TO AT LEAST ONE VIRTUAL ADDRESS RECEIVED OVER A COMMUNICATION NETWORK AND A CLUSTER SYSTEM
Abstract	The invention relates to a method for distributing to a plurality of service nodes a data packet addressed to at least one virtual address and received over a communication network using a protocol that allows at least some content of the data packets to be encrypted, the method comprising: receiving an incoming data packet addressed to a virtual address through a gateway node of a cluster system identified by at least one common virtual address comprising: a plurality of service nodes; at least one gateway node; a packet analyzer that analyzes destination addresses and encryption states of incoming data packets; a packet decryption module comprising a key that decrypts encrypted content of data packets; and a packet scheduler that determines which of the service nodes receives data packets addressed to the at least one virtual address based upon service information comprising at least one of a port number and an application protocol contained in the UDP or TCP header of the data packets; identifying the encryption state of the incoming data packet via the packet analyzer; scheduling the received data packet via the packet scheduler based upon the port number or the application protocol in the service information contained in the UDP or TCP header of the received data packet in response to no encryption being identified in step b); in response to encryption being identified in step b), decrypting the incoming data packet including the UDP or TCP header via the packet decryption module and scheduling the decrypted data packet via the packet scheduler based upon the port number or the application protocol in the service information contained in the UDP or TCP header of the decrypted data packet; and distributing the incoming data packet to one of the service nodes having a unique address according to the determination of the packet scheduler.

Title of Invention

A METHOD FOR DISTRIBUTING DATA PACKETS ADDRESSED TO AT LEAST ONE VIRTUAL ADDRESS RECEIVED OVER A COMMUNICATION NETWORK AND A CLUSTER SYSTEM

Abstract

The invention relates to a method for distributing to a plurality of service nodes a data packet addressed to at least one virtual address and received over a communication network using a protocol that allows at least some content of the data packets to be encrypted, the method comprising: receiving an incoming data packet addressed to a virtual address through a gateway node of a cluster system identified by at least one common virtual address comprising: a plurality of service nodes; at least one gateway node; a packet analyzer that analyzes destination addresses and encryption states of incoming data packets; a packet decryption module comprising a key that decrypts encrypted content of data packets; and a packet scheduler that determines which of the service nodes receives data packets addressed to the at least one virtual address based upon service information comprising at least one of a port number and an application protocol contained in the UDP or TCP header of the data packets; identifying the encryption state of the incoming data packet via the packet analyzer; scheduling the received data packet via the packet scheduler based upon the port number or the application protocol in the service information contained in the UDP or TCP header of the received data packet in response to no encryption being identified in step b); in response to encryption being identified in step b), decrypting the incoming data packet including the UDP or TCP header via the packet decryption module and scheduling the decrypted data packet via the packet scheduler based upon the port number or the application protocol in the service information contained in the UDP or TCP header of the decrypted data packet; and distributing the incoming data packet to one of the service nodes having a unique address according to the determination of the packet scheduler.

Full Text	The invention relates to a method, a cluster system and a computer-readable medium for distributing data packets addressed to at least one virtual address received over a communication network using a protocol, which allows for at least some content of the data packets to be encrypted, to a multiplicity of service nodes. Methods and apparatuses for distributing data packets to a multiplicity of service nodes are commonly used in so-called cluster systems providing services to a large number of clients. A particular well-known example are so-called server farms providing web services to the Internet. Originally the transmission control protocol and the Internet protocol (TCP/IP) did not provide any method for packet authentication or encryption. The most popular application level protocol, the hypertext transport protocol (HTTP) also does not provide any security mechanisms. With the growing importance of web services such as e- commerce and e-business, a great need for secure Internet communication has arisen. To overcome the lack of security, various protocols for including security mechanisms like authentication and encryption were designed for the different layers of the TCP/IP protocol stack. The secure socket layer (SSL) protocol is an extra layer, added between the transport layer, managing connections between two computers, and the application layer and provides transparent authentication and encryption to higher level protocols. In practice, however, it is only commonly used in combination with the HTTP protocol, which is then referred to as secure HTTP or HTTP over SSL (HTTPS). Because of the relatively high overhead in terms of processing performance it is only used for a few types of applications such as online banking and electronic payment systems. In order to spread the use of secure communication on the Internet to other applications and application protocols, the IP security (IPsec) standard integrates authentication and encryption directly into the network layer. To this end an additional packet header is introduced which is placed immediately after the IP header comprising the source and destination address of the packet. The additional header is placed before the TCP or UDP header of the transport layer, which comprises, among other data, the source and destination port number of the packet. The additional IPsec header can comprise either an authentication header (AH) or an encapsulated secure payload (ESP) header or both. In case encryption is used the data following the ESP header is encrypted, including the data contained in a subsequent UDP or TCP header. Encryption can be used in two different modes called tunnel mode and transport mode respectively. In tunnel mode, the entire data packet to be transmitted over a network is encrypted and included in a new data packet as payload. In transport mode, only the content of the original data packet is encrypted, but some of its header information, particularly the IP header comprising source and destination address and the ESP header comprising encryption information remain unencrypted. If such a partially encrypted data packet is received by a single server, the decryption of the packet's content takes place before the packet is passed to the transport layer and processing can proceed in the same way as without encryption. If the IP packet is received by a cluster system, however, data packets are usually distributed to different service nodes of the cluster for further processing. In order to decide which packet is to be processed by what service node, a packet analyzer usually scans the headers of the received packets for service information, such as the port number or application protocol. This information, however, is not available at the network layer in case of an encrypted IPsec packet. Consequently, IPsec is currently not used in cluster systems identified by a common virtual address, but always directed to a physical address of a single server. This has the disadvantage that the scalability and reliability of cluster systems can currently not be used in combination with the security offered by the IPsec standard. Consequently it is an object of the present invention to describe a method that allows the distribution of at least partially encrypted data packets to a multiplicity of service nodes. The objective should be achieved with minimal changes on existing cluster systems, particularly without modification of existing package schedulers, for reasons of implementation simplicity. According to the invention the problem is solved by a method for distributing data packets addressed to at least one virtual address received over a communication network using a protocol, which allows for at least some content of the data packets to be encrypted, to a multiplicity of service nodes, which includes the steps of providing a cluster system comprising a multiplicity of service nodes, at least one gateway node, a packet analyzer that analyzes destination addresses and encryption state of incoming data packets, a packet decryption module comprising a predefined key that decrypts encrypted content of data packets, a packet scheduler that determines which of the service nodes to be used for data packets addressed to at least one virtual address based on data packets' content, receiving an incoming data packet addressed to a virtual address through the gateway and identifying the encryption state of the received data packet through the packet analyzer, scheduling of the received data packet through the packet scheduler, if no encryption was identified, or performing the steps of decrypting the encryption data packet through the packet encryption module and scheduling of the decrypted data packet though the packet scheduler if encryption was identified, and distributing the received data packet to one of the service nodes according to the scheduling. The inventive method has the advantage that an existing packet scheduler can be used to make scheduling decisions even if received data packets are partially encrypted. According to the present invention partially encrypted data packets are picked up by a packet analyzer and decrypted before a decrypted version of the packet is sent on to the packet scheduler. After the packet scheduler has made a scheduling decision based on the decrypted content of the data packet, the data packet can be replaced by the encrypted version again, such that the service node or any higher level protocol tools are not aware of the intermediate decryption. Thus, the inventive method can be introduced transparently to an existing cluster system. In a first embodiment of the present invention incoming encrypted data packets are temporarily stored by the packet analyzer and a decrypted copy of the packet is sent to the packet scheduler for scheduling. The decision of the packet scheduler is returned to the packet analyzer, which then sends the originally received packet onto the service node according to the decision of the packet scheduler. In an alternative implementation of the method, an additional packet exchange module is provided, which picks up previously encrypted packets, which were decrypted for the packet scheduler and replaces them with the originally encrypted data packets, which are forwarded from the packet analyzer to the packet exchange module. This embodiment has the advantage that it can be implemented in a typical queue oriented software system. Further details and embodiments of the present invention are described in the patent claims. The invention will be described in the following using exemplary embodiments shown in the following figures. Figure 1 shows a first embodiment of the present invention. Figure 2 shows a second embodiment of the present invention. Figure 3 shows a flow chart of the inventive method. Figure 1 shows a cluster system 1 comprising a gateway node 2 and three service nodes 3A, 3B and 3C. Each of the service nodes 3A, 3B and 3C has a unique address 18A, 18B and 18C respectively. The gateway node 2 and the service nodes 3 are connected through an internal network 11. The gateway node 2 comprises a packet analyzer 4, a packet decryption module 5 and a packet scheduler 6. The packet decryption module 5 contains a decryption key 17 and the packet analyzer 4 comprises at least one predetermined virtual address 12. In addition, the gateway node 2 is connected to a communication network 10. The packet analyzer 4 receives data packets from the communication network 10. It checks whether incoming packets are address to the predetermined virtual address 12 and whether the incoming packets are encrypted. If an encrypted packet 7 is found, a copy of the encrypted packet 7 is stored and the packet 7 is forwarded to the packet decryption module 5. The packet decryption module 5 decrypts the encrypted data packet 7 using the decryption key 17 and returns an decrypted packet 8 to the packet analyzer 4. The decrypted packet 8 is then forwarded to the packet scheduler 6, which makes a scheduling decision based on the decrypted packet's content. Scheduling data 9 is then returned from the packet scheduler 6 to the packet analyzer 4, either alone or contained in the decrypted packet 8. For example, the packet scheduler 6 can return its scheduling decision by overwriting the virtual address 12 originally contained in the data packet 8 with one of the unique addresses 18A, 18B or 18C of the service nodes 3A, 3B or 3C. Alternatively the packet scheduler 6 can add an additional header to the returned data packet 8. The packet analyzer 4 combines the stored encrypted packet 7 with the received scheduling data 9 and forwards the resulting data packet to the internal network 11. For example, an destination address 18A, 18B or 18C contained in a modified or additional header of the returned data packet 8 can be included in the stored encrypted packet 7. The data packet 7 is then forwarded to one of the service nodes 3A, 3B, 3C for further processing. If an open, i.e. unencrypted data packet is received by the packet analyzer 4 from the data network 10, the packet is forwarded directly to the packet scheduler 6, without prior decryption or intermediate storage. The embodiment shown in Figure 1 has the additional advantage that all processing of the unencrypted data packet 8 takes place within the gateway node 2. Thus, even in cases were the internal communication network 11 is deemed to be insecure, e.g. because it an open network connecting service nodes 3 at locations different from the location of the gateway node 2, the data exchanged over the networks 10 and 11 remains secure. Figure 2 shows an alternative embodiment of the present invention. A cluster system 13 comprises a gateway node 2, a routing node 14, a decryption node 15 and three service nodes 3A, 3B and 3C with addresses 18A, 18B and 18C respectively. All nodes are connected by an internal network 11. The gateway node 2 is further connected to a communication network 10. The gateway node 2 comprises a packet analyzer 4. The packet analyzer 4 analyzes incoming data packets and compares them with at least one predetermined virtual address 12. If an encrypted packet 7 is detected by the packet analyzer 4, the encrypted data packet 7 is forwarded to a decryption module 5 of the decryption node 15 and to a packet exchange module 16 of the routing node 14. The decryption module 5 decrypts the incoming encrypted packet 7 using a decryption key 17 and returns a decrypted packet 8 to the gateway node 2. The gateway node 2 then forwards the decrypted data packet 8 to a packet scheduler 6 of the routing node 14. Alternatively the decryption node 15 can also forward the decrypted packet 8 to the routing node 14 directly. The packet scheduler 6 inside the routing node 14 makes a scheduling decision based on the decrypted data packet 8 and adds scheduling data 9, typically the address 18A, 18B, or 18C of one of the service nodes 3A, 3B or 3C to the data packet 8. Because the packet scheduler 6 only receives decrypted packets 8, i.e. data packets without any IPsec information, all scheduling algorithms and systems developed for the original IP protocol can be utilized without change. The modified data packet 8 is then detected and picked up by the packet exchange module 16, which also runs within the routing node 14. For example, the packet exchange module 16 could analyze source address of data packets 7 scheduled by the packet scheduler and compare them with source addresses of the forwarded encrypted data packet 7. The authentication header used by IPsec also contains a packet sequence number, which can be used for identification of data packets to be exchanged. The packet exchange module 16 then exchanges the decrypted data packet 8 with the encrypted data packet 7, which was previously sent to it. At the same time it maintains the scheduling data 9, e.g. its new destination address 18A, 18B or 18C. The encrypted data packet 7 comprising the scheduling data 9 is then forwarded to one of the service nodes 3A, 3B or 3C for further processing. As in the previous embodiment, the inventive method can also be used in a network, in which unencrypted data packets are received by the gateway node 2. If an unencrypted data packet 8 is received by the packet analyzer 4, it is simply forwarded to the scheduling module 6 and ignored by the packet exchange module 16. Thus, the performance of existing systems for distributing data packets in a cluster system can be maintained for unencrypted data traffic, whilst allowing to support encrypted data traffic. As shown by the two different embodiments shown in Figure 1 and Figure 2, the different functional modules 3, 4, 5, 6 and 16 of the cluster system 1 and 13 can be either implemented in hardware or software. Forwarding data packets from one module to another can be achieved either by means of software interfaces or by physically sending them from one node of the cluster system 1 or 13 to another. In practice, many of the nodes of the cluster system 1 and 13 will be replicated for reasons of performance and reliability. In case several redundant gateway nodes 2 and/or decryption nodes 5 exist, all packet decryption modules 5 must contain the same decryption key 17. As mentioned in the outset, the IPsec standard also allows for authentication of data packets. If authentication is desired, either alone or in addition to the encryption of data packets, such functionality can be implemented using the same architecture as described above and shown in Figure 1 and 2 respectively. In this case an additional authentication module, either as part of the gateway node 2 or as a separate node of the cluster system 1 or 13 respectively must be provided. If the packet analyzer 4 identifies an incoming data packet containing an authorization header, the packet is forwarded to the authentication module prior to making a scheduling decision. If the packet is deemed to be authentic, it is forwarded to the scheduling module 6. Otherwise the packet may be rejected or forwarded to a special node or module for further analysis, e.g. to analyze whether a safety-critical attack on the cluster system 1 or 13 is being carried out over the data network 10. If both AH and ESP headers are present, they are analyzed and processed in the order they are included in the received data packet 7, i.e. a data packet containing a AH header followed by an ESP header is authenticated first and decrypted afterwards and vice versa. A flow chart of the inventive method including both, authentication and decryption of data packets is shown in Figure 3. Typically, outgoing data packets returned from the service nodes 3 to a client node over the network 10 will be encrypted too. In order to make good scheduling decisions, the packet scheduler 6 needs to maintain information about open connections between any client system and service node 3, such that all requests belonging to one connection are send to the same service node 3. Thus, it is important to scan outgoing data packets for connection closure. However, outgoing data packets may be encrypted, such that data required to determine the state of an connection is not available to the packet scheduler 6. For this reason, in a further embodiment of the invention, data packets are scanned for connection closure before they are encrypted. This can be done, for example, by a separate encryption module used to add the IPsec headers to outgoing data packets. The gathered information can then be forwarded to the packet scheduler 6, either through a separate interface or as part of the outgoing data packets, e.g. in form of an additional packet header. Such additional information must be stripped from the outgoing data packets before they are finally returned over the communication network 10, for example by the packet analyzer 4. Alternatively, outgoing data packets can be send through the same processing queue as incoming packets, i.e. they can be analyzed, decrypted if necessary, forwarded to the scheduler and subsequently replaced with the originally encrypted outgoing data packet as described above. List of References 1 Cluster system 2 Gateway node 3 Service node 4 Packet analyzer 5 Packet decryption module 6 Packet scheduler 7 Encrypted data packet 8 Decrypted data packet 9 Scheduling data 10 Communication network 11 Internal network 12 Virtual address 13 Cluster system 14 Routing node 15 Decryption node 16 Packet exchange module 17 Decryption key 18 Unique address We Claim: 1. Method for distributing a data packet (7) using a protocol, which allows for at least some content of the data packet (7) to be encrypted, to one of a multiplicity of service nodes (3) of a cluster system (1, 13) comprising the multiplicity of service nodes (3), at least one gateway node (2), a packet analyzer (4) for analyzing destination addresses and encryption states of the incoming data packet (7), a packet decryption module (5) comprising a predefined key (17) for decrypting encrypted content of the data packet (7), and a packet scheduler (6) for determining which of the service nodes (3) to be used for the data packet (7) addressed to at least one virtual address (12) received over a communication network (10) based on the data packet's content, the method comprising the following steps: a) receiving the incoming data packet (7) addressed to the virtual address (12) through the gateway node (2) and identifying the encryption state of the received data packet (7) through the packet analyzer (4), b) if no encryption was identified in step a), scheduling of the received data packet (7) through the packet scheduler (6) and distributing the received unencrypted data packet (7) to one of the service nodes (3) according to scheduling data (9), c) if encryption was identified in step a), performing the following steps: - decrypting the encrypted data packet (7) through the packet decryption module (5), - scheduling of the decrypted data packet (8) through the packet scheduler (6), and distributing the received encrypted data packet (7) to one of the service nodes (3) according to scheduling data (9). 2. The method as claimed in claim 1, characterized in that step c) comprises the steps of - storing the received data packet (7) by the packet analyzer (4), - forwarding the decrypted data packet (8) to the packet scheduler (6) for determining a scheduling data (9), and - modifying the stored, encryption data packet (7) using the scheduling information (9) provided by the packet scheduler (6) through the packet analyzer (4). 3. The method as claimed in claim 1, characterized in that the cluster system (13) comprises a packet exchange module (16) and step c) further comprises - forwarding the decrypted data packet (8) from the decryption (5) to the packet scheduler (6) for scheduling, - forwarding the received encrypted data packet (7) from the packet analyzer (4) to the packet exchange module (16), - intercepting the scheduled decrypted data packet (8) and replacing the decrypted data packet (8) with the forwarded encrypted data packet (7) through the packet exchange module (16). 4. The method as claimed in one of the claims 1 to 3, characterized in the cluster system (1, 13) comprises a packet authentication module for verifying authentication data of the data packet (7), - step a) further comprises the step of detecting if the data packet (7) contains authentication data, - step b) and step c) comprise the steps of forwarding the data packet containing authentication data to the authentication module and taking appropriate action in case the authentication information can not be verified. 5. Cluster system (1, 13) comprising - a multiplicity of service nodes (3), - at least one gateway node (2) comprising a packet analyzer (4) for analysing destination addresses and encryption states of an incoming data packet (7), a packet decryption module (5) comprising a predefined key (17) for decrypting encrypted content of the data packet (7) and a packet scheduler (6) for determining which of the service nodes (3) to be used for data packets addressed to at least one virtual address (12) based on data packet's content, - a communication network (11) connecting said gateway node (2) and service nodes (3), said cluster system (1, 13) being adapted to perform a method as claimed in any one of the claims 1 to 4. ABSTRACT TITLE : "A METHOD FOR DISTRIBUTING DATA PACKETS ADDRESSED TO AT LEAST ONE VIRTUAL ADDRESS RECEIVED OVER A COMMUNICATION NETWORK AND A CLUSTER SYSTEM" The invention relates to a method for distributing to a plurality of service nodes a data packet addressed to at least one virtual address and received over a communication network using a protocol that allows at least some content of the data packets to be encrypted, the method comprising: receiving an incoming data packet addressed to a virtual address through a gateway node of a cluster system identified by at least one common virtual address comprising: a plurality of service nodes; at least one gateway node; a packet analyzer that analyzes destination addresses and encryption states of incoming data packets; a packet decryption module comprising a key that decrypts encrypted content of data packets; and a packet scheduler that determines which of the service nodes receives data packets addressed to the at least one virtual address based upon service information comprising at least one of a port number and an application protocol contained in the UDP or TCP header of the data packets; identifying the encryption state of the incoming data packet via the packet analyzer; scheduling the received data packet via the packet scheduler based upon the port number or the application protocol in the service information contained in the UDP or TCP header of the received data packet in response to no encryption being identified in step b); in response to encryption being identified in step b), decrypting the incoming data packet including the UDP or TCP header via the packet decryption module and scheduling the decrypted data packet via the packet scheduler based upon the port number or the application protocol in the service information contained in the UDP or TCP header of the decrypted data packet; and distributing the incoming data packet to one of the service nodes having a unique address according to the determination of the packet scheduler.

Full Text

The invention relates to a method, a cluster system and a
computer-readable medium for distributing data packets
addressed to at least one virtual address received over a
communication network using a protocol, which allows for at
least some content of the data packets to be encrypted, to a
multiplicity of service nodes.
Methods and apparatuses for distributing data packets to a
multiplicity of service nodes are commonly used in so-called
cluster systems providing services to a large number of
clients. A particular well-known example are so-called server
farms providing web services to the Internet.
Originally the transmission control protocol and the Internet
protocol (TCP/IP) did not provide any method for packet
authentication or encryption. The most popular application
level protocol, the hypertext transport protocol (HTTP) also
does not provide any security mechanisms.
With the growing importance of web services such as e-
commerce and e-business, a great need for secure Internet
communication has arisen. To overcome the lack of security,
various protocols for including security mechanisms like
authentication and encryption were designed for the different
layers of the TCP/IP protocol stack.
The secure socket layer (SSL) protocol is an extra layer,
added between the transport layer, managing connections
between two computers, and the application layer and provides
transparent authentication and encryption to higher level

protocols. In practice, however, it is only commonly used in
combination with the HTTP protocol, which is then referred to
as secure HTTP or HTTP over SSL (HTTPS).
Because of the relatively high overhead in terms of
processing performance it is only used for a few types of
applications such as online banking and electronic payment
systems. In order to spread the use of secure communication
on the Internet to other applications and application
protocols, the IP security (IPsec) standard integrates
authentication and encryption directly into the network
layer. To this end an additional packet header is introduced
which is placed immediately after the IP header comprising
the source and destination address of the packet. The
additional header is placed before the TCP or UDP header of
the transport layer, which comprises, among other data, the
source and destination port number of the packet. The
additional IPsec header can comprise either an authentication
header (AH) or an encapsulated secure payload (ESP) header or
both. In case encryption is used the data following the ESP
header is encrypted, including the data contained in a
subsequent UDP or TCP header.
Encryption can be used in two different modes called tunnel
mode and transport mode respectively. In tunnel mode, the
entire data packet to be transmitted over a network is
encrypted and included in a new data packet as payload. In
transport mode, only the content of the original data packet
is encrypted, but some of its header information,
particularly the IP header comprising source and destination
address and the ESP header comprising encryption information
remain unencrypted.

If such a partially encrypted data packet is received by a
single server, the decryption of the packet's content takes
place before the packet is passed to the transport layer and
processing can proceed in the same way as without encryption.
If the IP packet is received by a cluster system, however,
data packets are usually distributed to different service
nodes of the cluster for further processing. In order to
decide which packet is to be processed by what service node,
a packet analyzer usually scans the headers of the received
packets for service information, such as the port number or
application protocol. This information, however, is not
available at the network layer in case of an encrypted IPsec
packet. Consequently, IPsec is currently not used in cluster
systems identified by a common virtual address, but always
directed to a physical address of a single server. This has
the disadvantage that the scalability and reliability of
cluster systems can currently not be used in combination with
the security offered by the IPsec standard.
Consequently it is an object of the present invention to
describe a method that allows the distribution of at least
partially encrypted data packets to a multiplicity of service
nodes. The objective should be achieved with minimal changes
on existing cluster systems, particularly without
modification of existing package schedulers, for reasons of
implementation simplicity.
According to the invention the problem is solved by a method
for distributing data packets addressed to at least one
virtual address received over a communication network using a
protocol, which allows for at least some content of the data
packets to be encrypted, to a multiplicity of service nodes,

which includes the steps of providing a cluster system
comprising a multiplicity of service nodes, at least one
gateway node, a packet analyzer that analyzes destination
addresses and encryption state of incoming data packets, a
packet decryption module comprising a predefined key that
decrypts encrypted content of data packets, a packet
scheduler that determines which of the service nodes to be
used for data packets addressed to at least one virtual
address based on data packets' content, receiving an incoming
data packet addressed to a virtual address through the
gateway and identifying the encryption state of the received
data packet through the packet analyzer, scheduling of the
received data packet through the packet scheduler, if no
encryption was identified, or performing the steps of
decrypting the encryption data packet through the packet
encryption module and scheduling of the decrypted data packet
though the packet scheduler if encryption was identified, and
distributing the received data packet to one of the service
nodes according to the scheduling.
The inventive method has the advantage that an existing
packet scheduler can be used to make scheduling decisions
even if received data packets are partially encrypted.
According to the present invention partially encrypted data
packets are picked up by a packet analyzer and decrypted
before a decrypted version of the packet is sent on to the
packet scheduler. After the packet scheduler has made a
scheduling decision based on the decrypted content of the
data packet, the data packet can be replaced by the encrypted
version again, such that the service node or any higher level
protocol tools are not aware of the intermediate decryption.
Thus, the inventive method can be introduced transparently to
an existing cluster system.

In a first embodiment of the present invention incoming
encrypted data packets are temporarily stored by the packet
analyzer and a decrypted copy of the packet is sent to the
packet scheduler for scheduling. The decision of the packet
scheduler is returned to the packet analyzer, which then
sends the originally received packet onto the service node
according to the decision of the packet scheduler.
In an alternative implementation of the method, an additional
packet exchange module is provided, which picks up previously
encrypted packets, which were decrypted for the packet
scheduler and replaces them with the originally encrypted
data packets, which are forwarded from the packet analyzer to
the packet exchange module. This embodiment has the advantage
that it can be implemented in a typical queue oriented
software system.
Further details and embodiments of the present invention are
described in the patent claims.
The invention will be described in the following using
exemplary embodiments shown in the following figures.
Figure 1 shows a first embodiment of the present invention.
Figure 2 shows a second embodiment of the present invention.
Figure 3 shows a flow chart of the inventive method.
Figure 1 shows a cluster system 1 comprising a gateway node 2
and three service nodes 3A, 3B and 3C. Each of the service
nodes 3A, 3B and 3C has a unique address 18A, 18B and 18C

respectively. The gateway node 2 and the service nodes 3 are
connected through an internal network 11. The gateway node 2
comprises a packet analyzer 4, a packet decryption module 5
and a packet scheduler 6. The packet decryption module 5
contains a decryption key 17 and the packet analyzer 4
comprises at least one predetermined virtual address 12. In
addition, the gateway node 2 is connected to a communication
network 10.
The packet analyzer 4 receives data packets from the
communication network 10. It checks whether incoming packets
are address to the predetermined virtual address 12 and
whether the incoming packets are encrypted. If an encrypted
packet 7 is found, a copy of the encrypted packet 7 is stored
and the packet 7 is forwarded to the packet decryption module
5.
The packet decryption module 5 decrypts the encrypted data
packet 7 using the decryption key 17 and returns an decrypted
packet 8 to the packet analyzer 4.
The decrypted packet 8 is then forwarded to the packet
scheduler 6, which makes a scheduling decision based on the
decrypted packet's content. Scheduling data 9 is then
returned from the packet scheduler 6 to the packet analyzer
4, either alone or contained in the decrypted packet 8. For
example, the packet scheduler 6 can return its scheduling
decision by overwriting the virtual address 12 originally
contained in the data packet 8 with one of the unique
addresses 18A, 18B or 18C of the service nodes 3A, 3B or 3C.
Alternatively the packet scheduler 6 can add an additional
header to the returned data packet 8.

The packet analyzer 4 combines the stored encrypted packet 7
with the received scheduling data 9 and forwards the
resulting data packet to the internal network 11. For
example, an destination address 18A, 18B or 18C contained in
a modified or additional header of the returned data packet 8
can be included in the stored encrypted packet 7. The data
packet 7 is then forwarded to one of the service nodes 3A,
3B, 3C for further processing.
If an open, i.e. unencrypted data packet is received by the
packet analyzer 4 from the data network 10, the packet is
forwarded directly to the packet scheduler 6, without prior
decryption or intermediate storage.
The embodiment shown in Figure 1 has the additional advantage
that all processing of the unencrypted data packet 8 takes
place within the gateway node 2. Thus, even in cases were the
internal communication network 11 is deemed to be insecure,
e.g. because it an open network connecting service nodes 3 at
locations different from the location of the gateway node 2,
the data exchanged over the networks 10 and 11 remains
secure.
Figure 2 shows an alternative embodiment of the present
invention. A cluster system 13 comprises a gateway node 2, a
routing node 14, a decryption node 15 and three service nodes
3A, 3B and 3C with addresses 18A, 18B and 18C respectively.
All nodes are connected by an internal network 11. The
gateway node 2 is further connected to a communication
network 10.
The gateway node 2 comprises a packet analyzer 4. The packet
analyzer 4 analyzes incoming data packets and compares them

with at least one predetermined virtual address 12. If an
encrypted packet 7 is detected by the packet analyzer 4, the
encrypted data packet 7 is forwarded to a decryption module 5
of the decryption node 15 and to a packet exchange module 16
of the routing node 14.
The decryption module 5 decrypts the incoming encrypted
packet 7 using a decryption key 17 and returns a decrypted
packet 8 to the gateway node 2. The gateway node 2 then
forwards the decrypted data packet 8 to a packet scheduler 6
of the routing node 14. Alternatively the decryption node 15
can also forward the decrypted packet 8 to the routing node
14 directly.
The packet scheduler 6 inside the routing node 14 makes a
scheduling decision based on the decrypted data packet 8 and
adds scheduling data 9, typically the address 18A, 18B, or
18C of one of the service nodes 3A, 3B or 3C to the data
packet 8. Because the packet scheduler 6 only receives
decrypted packets 8, i.e. data packets without any IPsec
information, all scheduling algorithms and systems developed
for the original IP protocol can be utilized without change.
The modified data packet 8 is then detected and picked up by
the packet exchange module 16, which also runs within the
routing node 14. For example, the packet exchange module 16
could analyze source address of data packets 7 scheduled by
the packet scheduler and compare them with source addresses
of the forwarded encrypted data packet 7. The authentication
header used by IPsec also contains a packet sequence number,
which can be used for identification of data packets to be
exchanged. The packet exchange module 16 then exchanges the
decrypted data packet 8 with the encrypted data packet 7,

which was previously sent to it. At the same time it
maintains the scheduling data 9, e.g. its new destination
address 18A, 18B or 18C. The encrypted data packet 7
comprising the scheduling data 9 is then forwarded to one of
the service nodes 3A, 3B or 3C for further processing.
As in the previous embodiment, the inventive method can also
be used in a network, in which unencrypted data packets are
received by the gateway node 2. If an unencrypted data packet
8 is received by the packet analyzer 4, it is simply
forwarded to the scheduling module 6 and ignored by the
packet exchange module 16. Thus, the performance of existing
systems for distributing data packets in a cluster system can
be maintained for unencrypted data traffic, whilst allowing
to support encrypted data traffic.
As shown by the two different embodiments shown in Figure 1
and Figure 2, the different functional modules 3, 4, 5, 6 and
16 of the cluster system 1 and 13 can be either implemented
in hardware or software. Forwarding data packets from one
module to another can be achieved either by means of software
interfaces or by physically sending them from one node of the
cluster system 1 or 13 to another. In practice, many of the
nodes of the cluster system 1 and 13 will be replicated for
reasons of performance and reliability. In case several
redundant gateway nodes 2 and/or decryption nodes 5 exist,
all packet decryption modules 5 must contain the same
decryption key 17.
As mentioned in the outset, the IPsec standard also allows
for authentication of data packets. If authentication is
desired, either alone or in addition to the encryption of
data packets, such functionality can be implemented using the

same architecture as described above and shown in Figure 1
and 2 respectively.
In this case an additional authentication module, either as
part of the gateway node 2 or as a separate node of the
cluster system 1 or 13 respectively must be provided. If the
packet analyzer 4 identifies an incoming data packet
containing an authorization header, the packet is forwarded
to the authentication module prior to making a scheduling
decision. If the packet is deemed to be authentic, it is
forwarded to the scheduling module 6. Otherwise the packet
may be rejected or forwarded to a special node or module for
further analysis, e.g. to analyze whether a safety-critical
attack on the cluster system 1 or 13 is being carried out
over the data network 10.
If both AH and ESP headers are present, they are analyzed and
processed in the order they are included in the received data
packet 7, i.e. a data packet containing a AH header followed
by an ESP header is authenticated first and decrypted
afterwards and vice versa.
A flow chart of the inventive method including both,
authentication and decryption of data packets is shown in
Figure 3.
Typically, outgoing data packets returned from the service
nodes 3 to a client node over the network 10 will be
encrypted too. In order to make good scheduling decisions,
the packet scheduler 6 needs to maintain information about
open connections between any client system and service node
3, such that all requests belonging to one connection are
send to the same service node 3. Thus, it is important to

scan outgoing data packets for connection closure. However,
outgoing data packets may be encrypted, such that data
required to determine the state of an connection is not
available to the packet scheduler 6.
For this reason, in a further embodiment of the invention,
data packets are scanned for connection closure before they
are encrypted. This can be done, for example, by a separate
encryption module used to add the IPsec headers to outgoing
data packets. The gathered information can then be forwarded
to the packet scheduler 6, either through a separate
interface or as part of the outgoing data packets, e.g. in
form of an additional packet header. Such additional
information must be stripped from the outgoing data packets
before they are finally returned over the communication
network 10, for example by the packet analyzer 4.
Alternatively, outgoing data packets can be send through the
same processing queue as incoming packets, i.e. they can be
analyzed, decrypted if necessary, forwarded to the scheduler
and subsequently replaced with the originally encrypted
outgoing data packet as described above.

List of References
1 Cluster system
2 Gateway node
3 Service node
4 Packet analyzer
5 Packet decryption module
6 Packet scheduler
7 Encrypted data packet
8 Decrypted data packet
9 Scheduling data
10 Communication network
11 Internal network
12 Virtual address
13 Cluster system
14 Routing node
15 Decryption node
16 Packet exchange module
17 Decryption key
18 Unique address

We Claim:
1. Method for distributing a data packet (7) using a protocol, which allows for at
least some content of the data packet (7) to be encrypted, to one of a
multiplicity of service nodes (3) of a cluster system (1, 13) comprising the
multiplicity of service nodes (3), at least one gateway node (2), a packet
analyzer (4) for analyzing destination addresses and encryption states of the
incoming data packet (7), a packet decryption module (5) comprising a
predefined key (17) for decrypting encrypted content of the data packet (7), and
a packet scheduler (6) for determining which of the service nodes (3) to be used
for the data packet (7) addressed to at least one virtual address (12) received
over a communication network (10) based on the data packet's content, the
method comprising the following steps:
a) receiving the incoming data packet (7) addressed to the virtual address (12)
through the gateway node (2) and identifying the encryption state of the
received data packet (7) through the packet analyzer (4),
b) if no encryption was identified in step a), scheduling of the received data
packet (7) through the packet scheduler (6) and distributing the received
unencrypted data packet (7) to one of the service nodes (3) according to
scheduling data (9),

c) if encryption was identified in step a), performing the following steps:
- decrypting the encrypted data packet (7) through the packet decryption
module (5),
- scheduling of the decrypted data packet (8) through the packet scheduler (6),
and distributing the received encrypted data packet (7) to one of the service
nodes (3) according to scheduling data (9).
2. The method as claimed in claim 1, characterized in that step c) comprises the
steps of
- storing the received data packet (7) by the packet analyzer (4),
- forwarding the decrypted data packet (8) to the packet scheduler (6) for
determining a scheduling data (9), and
- modifying the stored, encryption data packet (7) using the scheduling
information (9) provided by the packet scheduler (6) through the packet analyzer
(4).
3. The method as claimed in claim 1, characterized in that the cluster system
(13) comprises a packet exchange module (16) and step c) further comprises
- forwarding the decrypted data packet (8) from the decryption (5) to the packet
scheduler (6) for scheduling,

- forwarding the received encrypted data packet (7) from the packet analyzer (4)
to the packet exchange module (16),
- intercepting the scheduled decrypted data packet (8) and replacing the
decrypted data packet (8) with the forwarded encrypted data packet (7) through
the packet exchange module (16).
4. The method as claimed in one of the claims 1 to 3, characterized in the cluster
system (1, 13) comprises a packet authentication module for verifying
authentication data of the data packet (7),
- step a) further comprises the step of detecting if the data packet (7) contains
authentication data,
- step b) and step c) comprise the steps of forwarding the data packet containing
authentication data to the authentication module and taking appropriate action in
case the authentication information can not be verified.
5. Cluster system (1, 13) comprising
- a multiplicity of service nodes (3),
- at least one gateway node (2) comprising a packet analyzer (4) for analysing
destination addresses and encryption states of an incoming data packet (7), a
packet decryption module (5) comprising a predefined key (17) for decrypting
encrypted content of the data packet (7) and a packet scheduler (6) for

determining which of the service nodes (3) to be used for data packets
addressed to at least one virtual address (12) based on data packet's content,
- a communication network (11) connecting said gateway node (2) and service
nodes (3),
said cluster system (1, 13) being adapted to perform a method as claimed in any
one of the claims 1 to 4.

ABSTRACT

TITLE : "A METHOD FOR DISTRIBUTING DATA PACKETS ADDRESSED TO AT
LEAST ONE VIRTUAL ADDRESS RECEIVED OVER A COMMUNICATION
NETWORK AND A CLUSTER SYSTEM"
The invention relates to a method for distributing to a plurality of service nodes a data
packet addressed to at least one virtual address and received over a communication
network using a protocol that allows at least some content of the data packets to be
encrypted, the method comprising: receiving an incoming data packet addressed to a
virtual address through a gateway node of a cluster system identified by at least one
common virtual address comprising: a plurality of service nodes; at least one gateway
node; a packet analyzer that analyzes destination addresses and encryption states of
incoming data packets; a packet decryption module comprising a key that decrypts
encrypted content of data packets; and a packet scheduler that determines which of the
service nodes receives data packets addressed to the at least one virtual address based
upon service information comprising at least one of a port number and an application
protocol contained in the UDP or TCP header of the data packets; identifying the
encryption state of the incoming data packet via the packet analyzer; scheduling the
received data packet via the packet scheduler based upon the port number or the
application protocol in the service information contained in the UDP or TCP header of the
received data packet in response to no encryption being identified in step b); in response
to encryption being identified in step b), decrypting the incoming data packet including the
UDP or TCP header via the packet decryption module and scheduling the decrypted data
packet via the packet scheduler based upon the port number or the application protocol in
the service information contained in the UDP or TCP header of the decrypted data packet;
and distributing the incoming data packet to one of the service nodes having a unique
address according to the determination of the packet scheduler.

Documents:

00624-kol-2006 abstract.pdf

00624-kol-2006 claims.pdf

00624-kol-2006 correspondence others.pdf

00624-kol-2006 description(complete).pdf

00624-kol-2006 drawings.pdf

00624-kol-2006 form-1.pdf

00624-kol-2006 form-2.pdf

00624-kol-2006 form-3.pdf

00624-kol-2006 form-5.pdf

624-KOL-2006-(14-08-2013)-ABSTRACT.pdf

624-KOL-2006-(14-08-2013)-CORRESPONDENCE.pdf

624-KOL-2006-(14-08-2013)-FORM-1.pdf

624-KOL-2006-(14-08-2013)-FORM-2.pdf

624-KOL-2006-(20-09-2011)-ABSTRACT.pdf

624-KOL-2006-(20-09-2011)-AMANDED CLAIMS.pdf

624-KOL-2006-(20-09-2011)-ASSIGNMENT.pdf

624-KOL-2006-(20-09-2011)-DESCRIPTION (COMPLETE).pdf

624-KOL-2006-(20-09-2011)-DRAWINGS.pdf

624-KOL-2006-(20-09-2011)-EXAMINATION REPORT REPLY RECIEVED.pdf

624-KOL-2006-(20-09-2011)-FORM 1.pdf

624-KOL-2006-(20-09-2011)-FORM 2.pdf

624-KOL-2006-(20-09-2011)-FORM 3.pdf

624-KOL-2006-(20-09-2011)-OTHERS.pdf

624-KOL-2006-(20-09-2011)-PETITION UNDER RULE 137-1.1.pdf

624-KOL-2006-(20-09-2011)-PETITION UNDER RULE 137.pdf

624-KOL-2006-(28-08-2012)CORRESPONDENCE.pdf

624-KOL-2006-(29-07-2013)-CORRESPONDENCE.pdf

624-KOL-2006-CORRESPONDENCE 1.1.pdf

624-KOL-2006-CORRESPONDENCE.pdf

624-KOL-2006-EXAMINATION REPORT.pdf

624-KOL-2006-FORM 18.pdf

624-KOL-2006-FORM 26.pdf

624-KOL-2006-GRANTED-ABSTRACT.pdf

624-KOL-2006-GRANTED-CLAIMS.pdf

624-KOL-2006-GRANTED-DESCRIPTION (COMPLETE).pdf

624-KOL-2006-GRANTED-DRAWINGS.pdf

624-KOL-2006-GRANTED-FORM 1.pdf

624-KOL-2006-GRANTED-FORM 2.pdf

624-KOL-2006-GRANTED-FORM 3.pdf

624-KOL-2006-GRANTED-FORM 5.pdf

624-KOL-2006-GRANTED-SPECIFICATION-COMPLETE.pdf

624-KOL-2006-OTHERS.pdf

624-KOL-2006-PETITION UNDER RULE 137.pdf

624-KOL-2006-REPLY TO EXAMINATION REPORT.pdf

624-KOL-2006-TRANSLATED COPY OF PRIORITY DOCUMENT.pdf

abstract-00624-kol-2006.jpg

« Previous Patent

Next Patent »

Patent Number

257411

Indian Patent Application Number

624/KOL/2006

PG Journal Number

40/2013

Publication Date

04-Oct-2013

Grant Date

30-Sep-2013

Date of Filing

26-Jun-2006

Name of Patentee

FUJITSU SIEMENS COMPUTERS INC.

Applicant Address

1250 EAST ARQUES AVENUE MAIL STOP 190 SUNNYVALE, CA 94085-5401

Inventors:

#	Inventor's Name	Inventor's Address
1	RAJENDRAN VISHWANATHAN	1403 PETAL WAY SAN JOSE, CA 95129

PCT International Classification Number

H04L29/06

PCT International Application Number

N/A

PCT International Filing date

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	60/698,463	2005-07-12	U.S.A.