US Patent No. 10,659,440

OPTIMIZING UTILIZATION OF SECURITY PARAMETER INDEX (SPI) SPACE


Patent No. 10,659,440
Issue Date May 19, 2020
Title Optimizing Utilization Of Security Parameter Index (spi) Space
Inventorship Dexiang Wang, San Jose, CA (US)
Zhen Mo, Palo Alto, CA (US)
Fang Peng, Palo Alto, CA (US)
Bo Hu, Palo Alto, CA (US)
Helen Liu, Palo Alto, CA (US)
Assignee Nicira, Inc., Palo Alto, CA (US)

Claim of US Patent No. 10,659,440

1. A method for providing a security parameter index (SPI) value for use in establishing a security association between a source tunnel endpoint and a destination tunnel endpoint, comprising:receiving, at a server, a request from the source tunnel endpoint for a SPI value for use by the source tunnel endpoint in establishing the security association with the destination tunnel endpoint for securing an exchange of one or more data packets between a source endpoint and a destination endpoint;
deriving, at the server, the SPI value using a SPI derivation formula based on a key policy assigned to the source tunnel endpoint and the destination tunnel endpoint, wherein most bits from the SPI value are associated with the key policy; and
transmitting, at the server, the SPI value to the source tunnel endpoint for use by the source tunnel endpoint in establishing the security association, wherein the established security association is used by the source tunnel endpoint to encapsulate and encrypt at least a data packet from the one or more data packets received from the source endpoint and destined for the destination endpoint, the encapsulated encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of the source tunnel endpoint, a destination IP address of the destination tunnel endpoint, and the SPI value, the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint, and wherein the encapsulated encrypted data packet is transmitted by the source tunnel endpoint to the destination tunnel endpoint, wherein the key policy defines one or more properties of an encryption key of the established security association, and wherein the encryption key is used for encrypting the data packet.