Apparatus and method for using certificate data to route data

US 10,091,247 B2
Filed: 08/08/2017
Issued: 10/02/2018
Est. Priority Date: 03/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method of routing data across a network, the method comprising:

receiving, at an edge router, a session request from a client node to access, during a session, a server node in a local network, the local network comprising a plurality of nodes other than the client node, the edge router being coupled between the client node and the local network;

receiving, by the edge router, a client certificate from the client node, the client certificate having client information comprising a public key of the client node and specifying the server node;

receiving, by the edge router, from the client node, a signature encrypted according to a private key of the client node;

executing an authentication process using the client certificate, wherein the authentication process includes using the public key to verify the signature;

retrieving the client information from the client certificate;

maintaining a static connection between the edge router and the server node; and

receiving, by the edge router, data packets from the client node and, when the authentication process authenticates the client node, routing, by the edge router, the data packets to the server node specified by the client information in the client certificate, such that all data packets of the session received by the server node flow through the edge router, wherein routing the data packets to the server node comprises routing the data packets along the static connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of routing data across a network receives a session request from a client node to access at least one node in a local network having a plurality of nodes. The method also receives a client certificate (e.g., a digital certificate at least partially specified by known standards, such as the “X509 Standard”) from the client node. The client certificate has client information specifying at least one node to receive packets from the client node. Next, the method uses the client certificate to execute an authentication process. If the authentication process authenticates the client node, then the method routes data packets from the client node to at least one node in the local network as specified by the client information in the client certificate.

91 Citations

View as Search Results

47 Claims

1. A method of routing data across a network, the method comprising:
- receiving, at an edge router, a session request from a client node to access, during a session, a server node in a local network, the local network comprising a plurality of nodes other than the client node, the edge router being coupled between the client node and the local network;
  
  receiving, by the edge router, a client certificate from the client node, the client certificate having client information comprising a public key of the client node and specifying the server node;
  
  receiving, by the edge router, from the client node, a signature encrypted according to a private key of the client node;
  
  executing an authentication process using the client certificate, wherein the authentication process includes using the public key to verify the signature;
  
  retrieving the client information from the client certificate;
  
  maintaining a static connection between the edge router and the server node; and
  
  receiving, by the edge router, data packets from the client node and, when the authentication process authenticates the client node, routing, by the edge router, the data packets to the server node specified by the client information in the client certificate, such that all data packets of the session received by the server node flow through the edge router, wherein routing the data packets to the server node comprises routing the data packets along the static connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as defined by claim 1 further comprising rejecting the client node when the authentication process does not authenticate the client node.
  - 3. The method as defined by claim 2 wherein rejecting comprises blocking packets of the client node from access to the plurality of nodes in the local network.
  - 4. The method as defined by claim 1 wherein the client information comprises identifying information identifying the client node.
  - 5. The method as defined by claim 1 wherein routing data packets comprises:
    - using the client information to determine the identity of the server node in the local network to receive the data packets from the client node; and
      
      routing data packets from the client node to the identified server node.
  - 6. The method as defined by claim 5 wherein routing permits access to the server node by the client node when authenticated, the client information including policy information for enabling a set of privileges for the client node when accessing the server node.
  - 7. The method as defined by claim 1 wherein the client information includes a) identifying information identifying the client node, b) policy information for enabling a set of privileges for the client node when accessing the server node, or c) both (a) and (b).
  - 8. The method as defined by claim 7 wherein routing data packets comprises routing data packets as specified by one or both identifying information and the policy information.
  - 9. The method as defined by claim 1 wherein the server node comprises an application server and the local network includes a local area network.
  - 10. The method as defined by claim 1 wherein handshake processes are not performed between the client node and the server node during the session.
  - 11. The method as defined by claim 1 wherein executing an authentication process comprises receiving a login ID and password for a guest user, and confirming the login ID and password are valid for access in the local network.
  - 12. The method as defined by claim 11 further comprising determining a client device identifier that identifies the client node device, and using the client device identifier and the client certificate to execute the authentication process.
  - 13. The method as defined by claim 12 wherein the client device identifier comprises a MAC address.
  - 14. The method as defined by claim 1, further comprising:
    - facilitating at least limited access to the server node based on the client information in the client certificate.
  - 15. The method as defined by claim 14 wherein the client information includes policy information.
  - 16. The method as defined by claim 15 wherein the server node has an associated set of access privileges, facilitating at least limited access comprising permitting the client node at least one of the associated set of access privileges.

17. A network routing device for routing data received across a network, the network device comprising:
- an interface for receiving;
  
  a) a session request from a client node to access a server node in a local network, the local network comprising a plurality of nodes other than the client node, the interface being coupled between the client node and the local network, b) a client certificate from the client node, the client certificate having client information comprising a public key of the client node and specifying the server node and c) a signature from the client node, the signature being encrypted according to a private key of the client node;
  
  an authenticator operatively coupled with the interface, the authenticator being configured to retrieve the client certificate and execute an authentication process using the client certificate, wherein the authentication process includes using the public key to verify the signature; and
  
  a router operatively coupled with the authenticator, the router being configured to determine, from the authenticator, when the authentication process authenticated the client node, the router further being configured to maintain a static connection between the router and the server node, receive data packets from the client node and route the data packets along the static connection to the server node specified by the client information in the client certificate when the client node is authenticated, such that all data packets of the session received by the server node flow through the router.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The network routing device as defined by claim 17 wherein the client information comprises identifying information identifying the client node.
  - 19. The network routing device as defined by claim 17 wherein the router is configured to use the client information to determine the identity of the server node, the router further being configured to route client data packets from the client node to the identified server node.
  - 20. The network routing device as defined by claim 19 wherein the router is configured to permit access to the server node by the client node when authenticated, the client information including policy information for enabling a set of privileges for the client node when accessing the server node.
  - 21. The network routing device as defined by claim 17 wherein the client information includes a) identifying information identifying the client node, b) policy information for enabling a set of privileges for the client node when accessing the server node, or c) both (a) and (b).
  - 22. The network routing device as defined by claim 21 wherein the router is configured to route data packets as specified by one or both identifying information and the policy information.
  - 23. The networking device as defined by claim 17 wherein the router is configured as an edge router for the local network.

24. A computer program product for use on a computer system for routing data across a network, the computer program product comprising a tangible, non-transient computer usable medium having computer readable program code thereon, the computer readable program code comprising:
- program code for receiving, at an edge node, a session request from a client node to access, during a session, a server node in a local network, the local network comprising a plurality of nodes other than the client node, the edge router being coupled between the client node and the local network;
  
  program code for receiving, by the edge router, a client certificate from the client node, the client certificate having client information comprising a public key of the client node and specifying the server node;
  
  program code for receiving, by the edge router, from the client node, a signature encrypted according to a private key of the client node;
  
  program code for executing an authentication process using the client certificate, wherein the authentication process includes using the public key to verify the signature;
  
  program code for retrieving the client information from the client certificate;
  
  program code for maintaining a static connection between the edge router and the server node; and
  
  program code for receiving, by the edge router, data packets from the client node and, routing the data packets to the server node specified by the client information in the client certificate when the authentication process authenticates the client node, such that all data packets of the session received by the server node flow through the edge router, wherein routing the data packets to the server node comprises routing the data packets along the static connection.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 25. The computer program product as defined by claim 24 further comprising program code for rejecting the client node when the authentication process cannot authenticate the client node.
  - 26. The computer program product as defined by claim 25 wherein the program code for rejecting comprises program code for blocking packets of the client node from access to the plurality of nodes in the local network.
  - 27. The computer program product as defined by claim 24 wherein the client information comprises identifying information identifying the client node.
  - 28. The computer program product as defined by claim 24 wherein the program code for routing data packets comprises:
    - program code for using the client information to determine the identity of the server node; and
      
      program code for routing data packets from the client node to the identified server node.
  - 29. The computer program product as defined by claim 28 wherein the program code for routing permits access to the server node by the client node when authenticated, the client information including policy information for enabling a set of privileges for the client node when accessing the server node.
  - 30. The computer program product as defined by claim 24 wherein the client information includes a) identifying information identifying the client node, b) policy information for enabling a set of privileges for the client node when accessing the server node in the local network, or c) both (a) and (b).
  - 31. The computer program product as defined by claim 30 wherein the program code for routing data packets comprises program code for routing data packets as specified by one or both identifying information and the policy information.
  - 32. The computer program product as defined by claim 24 wherein the server node comprises an application server and the local network includes a local area network.
  - 33. The computer program product as defined by claim 24 wherein handshake processes are not performed between the client node and the server node during the session.
  - 34. The computer program product as defined by claim 24 further comprising:
    - program code for permitting initial handshake processes between the client node and the server node before receiving the certificate; and
      
      program code for permitting completion of final handshake processes between the client node and server node when the authentication process authenticates the client node.

35. A method of routing data across a network, the method comprising:
- receiving, at an edge router, a session request from a client node to access, during a session, a server node in a local network, the local network comprising a plurality of nodes other than the client node, the edge router being coupled between the client node and the local network;
  
  receiving, by the edge router, a client certificate from the client node, the client certificate having client information comprising a public key of the client node and specifying the server node;
  
  receiving, by the edge router, from the client node, a signature encrypted according to a private key of the client node;
  
  executing an authentication process using the client certificate, wherein the authentication process includes using the public key to verify the signature;
  
  retrieving the client information from the client certificate;
  
  permitting initial handshake processes between the client node and the server node before receiving the client certificate; and
  
  receiving, by the edge router, data packets from the client node and, when the authentication process authenticates the client node, permitting completion of final handshake processes between the client node and server node and routing, by the edge router, the data packets to the server node specified by the client information in the client certificate, such that all data packets of the session received by the server node flow through the edge router.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 36. The method as defined by claim 35 further comprising rejecting the client node when the authentication process does not authenticate the client node.
  - 37. The method as defined by claim 36 wherein rejecting comprises blocking packets of the client node from access to the plurality of nodes in the local network.
  - 38. The method as defined by claim 35 wherein the client information comprises identifying information identifying the client node.
  - 39. The method as defined by claim 35 wherein routing data packets comprises:
    - using the client information to determine the identity of the server node in the local network to receive the data packets from the client node; and
      
      routing data packets from the client node to the identified server node.
  - 40. The method as defined by claim 39 wherein routing permits access to the server node by the client node when authenticated, the client information including policy information for enabling a set of privileges for the client node when accessing the server node.
  - 41. The method as defined by claim 35 wherein the client information includes a) identifying information identifying the client node, b) policy information for enabling a set of privileges for the client node when accessing the server node, or c) both (a) and (b).
  - 42. The method as defined by claim 41 wherein routing data packets comprises routing data packets as specified by one or both identifying information and the policy information.
  - 43. The method as defined by claim 35 wherein the server node comprises an application server and the local network includes a local area network.
  - 44. The method as defined by claim 35 wherein an edge router receives the session request, the method further comprising maintaining a static connection between the edge router and the server node, routing comprising routing data packets from the client node along the static connection.
  - 45. The method as defined by claim 35 wherein executing an authentication process comprises receiving a login ID and password for a guest user, and confirming the login ID and password are valid for access in the local network.
  - 46. The method as defined by claim 45 further comprising determining a client device identifier that identifies the client node device, and using the client device identifier and the client certificate to execute the authentication process.
  - 47. The method as defined by claim 46 wherein the client device identifier comprises a MAC address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
128 Technology, Inc. (Juniper Networks Incorporated)
Original Assignee
128 Technology, Inc. (Juniper Networks Incorporated)
Inventors
Kumar, Prashant, Timmons, Patrick, MeLampy, Patrick J.
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/671,744
Publication Number

US 20170339194A1
Time in Patent Office

420 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/02   for separating internal fro...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Apparatus and method for using certificate data to route data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

91 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for using certificate data to route data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links