| CPC H04L 63/0485 (2013.01) [H04L 63/0236 (2013.01); H04L 63/166 (2013.01)] | 10 Claims |
|
1. A computer-implemented method, comprising:
decrypting a part of a received encrypted packet to determine routing information to yield a decrypted part and a remaining encrypted part that includes a payload, the remaining encrypted part being encrypted in an inner IPsec tunnel header via IPsec site-to-site;
creating a metadata tag for the encrypted packet using the decrypted part, wherein the metadata tag includes a hint associated with the routing information of the encrypted packet;
encrypting the metadata tag with a different encryption protocol from an encryption protocol used to encrypt the remaining encrypted part;
upon encrypting the metadata tag, applying the metadata tag externally to an outer header of the encrypted packet, wherein the metadata tag is encapsulated in an outer (D)TLS tunnel header via (D)TLS encapsulation; and
applying an indicator to the encrypted packet, the indicator preventing further decryption and inspection of the remaining encrypted part at nodes downstream;
bootstrapping an Internet Key Exchange (IKE) on behalf of a client, whereby the client does not have access to a pre-shared key associated with the IPsec site-to-site;
preventing child Security Associations from being decryptable by a network, wherein the inner IPsec tunnel header is not decryptable by the network; and
routing the remaining encrypted part through the network based on the metadata tag.
|