Firewall authentication of controller-generated internet control message protocol (ICMP) echo requests

US 10,015,162 B2
Filed: 05/11/2015
Issued: 07/03/2018
Est. Priority Date: 05/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a network firewall connected to a first network node, the method comprising:

obtaining, by the network firewall from a network controller, a first network test session authentication token for a network test;

receiving, by the network firewall, an Internet Control Message Protocol (ICMP) echo request message from a second network node for performing the network test on the first network node, the ICMP echo request message being an extended ICMP echo request packet comprising;

a data format version number field indicating a version number for the extended ICMP echo request packet;

a type of request field indicating a type of information requested by the extended ICMP echo request packet; and

a firewall authentication token field identifying a firewall authentication token for the network test, and comprising a second network test session authentication token;

comparing, by the network firewall, the second network test session authentication token to the first network test session authentication token;

authenticating, by the network firewall, the ICMP echo request message in response to the second network test session authentication token in the ICMP echo request message matching the first network test session authentication token; and

forwarding, by the network firewall, the ICMP echo request message to the first network node to grant the network test on the first network node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method implemented by a network firewall, comprising obtaining a first authentication token for a network test, receiving a test request message for performing the network test on a network element (NE) connected to the network firewall, authenticating the test request message by determining whether the test request message includes a second authentication token that matches the first authentication token, and granting the network test on the NE when the second authentication token matches the first authentication token.

62 Citations

21 Claims

1. A method implemented by a network firewall connected to a first network node, the method comprising:
- obtaining, by the network firewall from a network controller, a first network test session authentication token for a network test;
  
  receiving, by the network firewall, an Internet Control Message Protocol (ICMP) echo request message from a second network node for performing the network test on the first network node, the ICMP echo request message being an extended ICMP echo request packet comprising;
  
  a data format version number field indicating a version number for the extended ICMP echo request packet;
  
  a type of request field indicating a type of information requested by the extended ICMP echo request packet; and
  
  a firewall authentication token field identifying a firewall authentication token for the network test, and comprising a second network test session authentication token;
  
  comparing, by the network firewall, the second network test session authentication token to the first network test session authentication token;
  
  authenticating, by the network firewall, the ICMP echo request message in response to the second network test session authentication token in the ICMP echo request message matching the first network test session authentication token; and
  
  forwarding, by the network firewall, the ICMP echo request message to the first network node to grant the network test on the first network node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21)
- - 2. The method of claim 1, further comprising:
    - obtaining, by the network firewall from the network controller, a third network test session authentication token for a second network test;
      
      receiving, by the network firewall, a second ICMP echo request message from the second network node for performing the network test on the first network node, the second ICMP echo request message comprising a fourth network test session authentication token;
      
      comparing, by the network firewall, the fourth network test session authentication token to the third network test session authentication token; and
      
      rejecting the second ICMP echo request message in response to the fourth network test session authentication token failing to match the third network test session authentication token.
  - 3. The method of claim 1, further comprising receiving an authentication initiation message from a network management entity via a network, wherein the authentication initiation message specifies a value corresponding to an expiration time period associated with the first network test session authentication token.
  - 4. The method of claim 3, wherein the authentication initiation message further comprises the first network test session authentication token, and wherein the first network test session authentication token is obtained from the authentication initiation message.
  - 5. The method of claim 3, wherein obtaining the first network test session authentication token for the network test comprises generating the first network test session authentication token in response to the authentication initiation message, and wherein the method further comprises sending an authentication acknowledgement message to the network management entity indicating the first network test session authentication token.
  - 6. The method of claim 3, further comprising determining that the first network test session authentication token is associated with an unexpired expiration time period prior to authenticating the ICMP echo request message.
  - 7. The method of claim 3, wherein the network is a software-defined network (SDN), and wherein the network management entity is an SDN controller.
  - 8. The method of claim 1, wherein the first network test session authentication token comprises a 32-bit random number.
  - 9. The method of claim 1, wherein forwarding the ICMP echo request message to the first network node comprises forwarding the ICMP echo request message to the first network node without modifying the ICMP echo request message.
  - 21. The method of claim 1, wherein receiving the ICMP echo request message from the second network node comprises receiving the ICMP echo request message from the second network node via the first network node.

10. A method implemented by a network management entity, the method comprising:
- exchanging, by the network management entity, a first network test session authentication token with a network firewall for authenticating an Internet Control Message Protocol (ICMP) echo request message;
  
  generating, by the network management entity, the ICMP echo request message for performing a network test on a first network node that is connected to the network firewall, the ICMP echo request message being an extended ICMP echo request packet comprising;
  
  a data format version number field indicating a version number for the extended ICMP echo request packet;
  
  a type of request field indicating a type of information requested by the extended ICMP echo request packet; and
  
  a firewall authentication token field identifying a firewall authentication token for the network test, and comprising a second network test session authentication token;
  
  sending, by the network management entity, the ICMP echo request message comprising the second network test session authentication token to the first network node via a second network node; and
  
  receiving, by the network management entity from the first network node, an ICMP echo reply message, indicating the network firewall matched the first and second network test session authentication tokens to authenticate the ICMP echo request message and grant the network test on the first network node.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein exchanging the first network test session authentication token with the network firewall comprises:
    - sending an authentication initiation message to the network firewall to establish an authenticated network test session for performing the network test; and
      
      receiving an authentication acknowledgement message comprising the first network test session authentication token from the network firewall.
  - 12. The method of claim 10, wherein exchanging the first network test session authentication token with the network firewall comprises:
    - generating the first network test session authentication token; and
      
      sending an authentication initiation message to the network firewall to establish an authenticated network test session for performing the network test, wherein the authentication initiation message indicates the first network test session authentication token.
  - 13. The method of claim 10, further comprising sending an authentication initiation message to the network firewall to establish an authenticated network test session for performing the network test, wherein the authentication initiation message indicates a time-to-live (TTL) value for the first network test session authentication token, and wherein the TTL value indicates a time duration in which the first network test session authentication token is valid.
  - 14. The method of claim 10, wherein the ICMP echo request message is an extended ICMP echo request packet comprising a firewall authentication token field, and wherein embedding the second network test session authentication token in the ICMP echo request message comprises embedding the second network test session authentication token in the firewall authentication token field.
  - 15. The method of claim 10, wherein the network management entity is a software-defined network (SDN) controller.

16. A network firewall connected to a first network node, the network firewall comprising:
- a non-transitory memory storage comprising instructions; and
  
  one or more processors in communication with the non-transitory memory storage, wherein the one or more processors execute the instructions to;
  
  obtain, from a network controller, a first network test session authentication token for a network test;
  
  receive an Internet Control Message Protocol (ICMP) echo request message from a second network node for performing the network test on the first network node, the ICMP echo request message being an extended ICMP echo request packet comprising;
  
  a data format version number field indicating a version number for the extended ICMP echo request packet;
  
  a type of request field indicating a type of information requested by the extended ICMP echo request packet; and
  
  a firewall authentication token field identifying a firewall authentication token for the network test, and comprising a second network test session authentication token;
  
  compare the second network test session authentication token to the first network test session authentication token;
  
  authenticate the ICMP echo request message in response to the second network test session authentication token in the ICMP echo request message matching the first network test session authentication token; and
  
  forward the ICMP echo request message to the first network node to grant the network test on the first network node.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The network firewall of claim 16, wherein the one or more processors execute the instructions to receive an authentication initiation message from a network management entity via a network, wherein the authentication initiation message specifies a value corresponding to an expiration time period associated with the first network test session authentication token.
  - 18. The network firewall of claim 17, wherein the one or more processors execute the instructions to determine that the first network test session authentication token is associated with an unexpired expiration time period prior to authenticating the ICMP echo request message.
  - 19. The network firewall of claim 16, wherein the instructions to forward the ICMP echo request message to the first network node comprise instructions to forward the ICMP echo request message to the first network node without modifying the ICMP echo request message.
  - 20. The network firewall of claim 16, wherein the instructions to receive the ICMP echo request message from the second network node comprise instructions to receive the ICMP echo request message from the second network node via the first network node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Yu, Yinfeng, Akhavain Mohammadi, Mehdi Arashmid, Wan, Tao, Yin, Guoli, Chu, Xingjun, Al Zoubi, Khaldoon, Wu, Yapeng
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/709,180
Publication Number

US 20160337314A1
Time in Patent Office

1,149 Days
Field of Search

726 11
US Class Current
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 43/50   Testing arrangements

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

Firewall authentication of controller-generated internet control message protocol (ICMP) echo requests

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall authentication of controller-generated internet control message protocol (ICMP) echo requests

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links