| CPC H04L 63/0471 (2013.01) [H04L 12/4633 (2013.01); H04L 63/0272 (2013.01); H04L 63/029 (2013.01); H04L 63/08 (2013.01); H04L 63/0428 (2013.01); H04L 63/126 (2013.01)] | 19 Claims |
|
1. A method in a first network device for modifying network traffic data, comprising:
a first switching engine in the first network device:
obtaining a network traffic data unit;
performing a lookup, by the first switching engine, to identify a destination using forwarding information contained in the network traffic data unit, and
making a determination that the network traffic data unit is to traverse a network tunnel based on the destination,
appending the network tunnel information to the network traffic data unit in response to a determination that the network traffic data unit is to traverse a network tunnel, wherein the network tunnel information indicates one or more of: (i) a port through which the network traffic data unit is intended to be transmitted out of the network device, (ii) an encryption engine for transmitting the network traffic data unit, and (iii) outer forwarding information that specifies a path through the network tunnel and/or a destination device that terminates the network tunnel;
making a determination that encryption of the network traffic data unit is required based at least on the network tunnel information;
generating encryption information, by the first switching engine, in response to a determination that encryption of the network traffic data unit is required, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt;
appending the encryption information to the network traffic data unit;
prior to transmitting the network traffic data unit, securing the network traffic data unit, by an encryption engine in the first network device, using the encryption information appended to the network traffic data unit to create an encrypted network traffic data unit, wherein securing the network traffic data unit comprises:
encrypting a portion of the network traffic data unit specified in the encryption information in accordance with the encryption type and the encryption key specified in the encryption information;
removing the encryption information from the network traffic data unit; and
appending decryption information to the encrypted network traffic data unit; and
transmitting the encrypted network traffic data unit through the network tunnel, based on the network tunnel information, to the identified destination.
|